| id: GO-2023-2185 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.20.11 |
| - introduced: 1.21.0-0 |
| - fixed: 1.21.4 |
| vulnerable_at: 1.21.3 |
| packages: |
| - package: path/filepath |
| goos: |
| - windows |
| symbols: |
| - Clean |
| - volumeNameLen |
| - join |
| derived_symbols: |
| - Abs |
| - Base |
| - Dir |
| - EvalSymlinks |
| - Glob |
| - IsLocal |
| - Join |
| - Rel |
| - Split |
| - VolumeName |
| - Walk |
| - WalkDir |
| - package: internal/safefilepath |
| goos: |
| - windows |
| symbols: |
| - fromFS |
| derived_symbols: |
| - FromFS |
| - module: std |
| versions: |
| - introduced: 1.20.11 |
| - fixed: 1.20.12 |
| - introduced: 1.21.4 |
| - fixed: 1.21.5 |
| vulnerable_at: 1.21.4 |
| packages: |
| - package: path/filepath |
| goos: |
| - windows |
| symbols: |
| - volumeNameLen |
| derived_symbols: |
| - Abs |
| - Base |
| - Clean |
| - Dir |
| - EvalSymlinks |
| - Glob |
| - IsLocal |
| - Join |
| - Rel |
| - Split |
| - VolumeName |
| - Walk |
| - WalkDir |
| summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath |
| description: |- |
| The filepath package does not recognize paths with a \??\ prefix as special. |
| |
| On Windows, a path beginning with \??\ is a Root Local Device path equivalent to |
| a path beginning with \\?\. Paths with a \??\ prefix may be used to access |
| arbitrary locations on the system. For example, the path \??\c:\x is equivalent |
| to the more common path c:\x. |
| |
| Before fix, Clean could convert a rooted path such as \a\..\??\b into the root |
| local device path \??\b. Clean will now convert this to .\??\b. |
| |
| Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path |
| elements into the root local device path \??\b. Join will now convert this to |
| \.\??\b. |
| |
| In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as |
| absolute, and VolumeName correctly reports the \??\ prefix as a volume name. |
| |
| UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the |
| volume name in Windows paths starting with \?, resulting in |
| filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). |
| The previous behavior has been restored. |
| references: |
| - report: https://go.dev/issue/63713 |
| - fix: https://go.dev/cl/540277 |
| - web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY |
| - report: https://go.dev/issue/64028 |
| - fix: https://go.dev/cl/541175 |
| - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ |
| cve_metadata: |
| id: CVE-2023-45283 |
| cwe: 'CWE-41: Improper Resolution of Path Equivalence' |
| references: |
| - http://www.openwall.com/lists/oss-security/2023/12/05/2 |
| - https://security.netapp.com/advisory/ntap-20231214-0008/ |
| review_status: REVIEWED |