| id: GO-2022-0493 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.17.10 |
| - introduced: 1.18.0-0 |
| - fixed: 1.18.2 |
| vulnerable_at: 1.18.1 |
| packages: |
| - package: syscall |
| symbols: |
| - Faccessat |
| - module: golang.org/x/sys |
| versions: |
| - fixed: 0.0.0-20220412211240-33da011f77ad |
| vulnerable_at: 0.0.0-20220412071739-889880a91fd5 |
| packages: |
| - package: golang.org/x/sys/unix |
| symbols: |
| - Faccessat |
| excluded_symbols: |
| - Access |
| summary: Incorrect privilege reporting in syscall and golang.org/x/sys/unix |
| description: |- |
| When called with a non-zero flags parameter, the Faccessat function can |
| incorrectly report that a file is accessible. |
| published: 2022-07-15T23:30:12Z |
| cves: |
| - CVE-2022-29526 |
| ghsas: |
| - GHSA-p782-xgp4-8hr8 |
| credits: |
| - Joël Gähwiler (@256dpi) |
| references: |
| - fix: https://go.dev/cl/399539 |
| - report: https://go.dev/issue/52313 |
| - fix: https://go.dev/cl/400074 |
| - web: https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU |
| review_status: REVIEWED |