internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar - vulndb - Git at Google

 Copyright 2024 The Go Authors. All rights reserved.
 Use of this source code is governed by a BSD-style
 license that can be found in the LICENSE file.

 Expected output of TestCVE5ToReport/CVE-2023-45283.

 -- CVE-2023-45283 --
 id: PLACEHOLDER-ID
 modules:
     - module: std
       versions:
         - fixed: 1.20.11
         - introduced: 1.21.0-0
           fixed: 1.21.4
       packages:
         - package: internal/safefilepath
           goos:
             - windows
           symbols:
             - fromFS
             - FromFS
     - module: std
       versions:
         - fixed: 1.20.11
         - introduced: 1.20.11
           fixed: 1.20.12
         - introduced: 1.21.0-0
           fixed: 1.21.4
         - introduced: 1.21.4
           fixed: 1.21.5
       packages:
         - package: path/filepath
           goos:
             - windows
           symbols:
             - Clean
             - volumeNameLen
             - join
             - Abs
             - Base
             - Dir
             - EvalSymlinks
             - Glob
             - IsLocal
             - Join
             - Rel
             - Split
             - VolumeName
             - Walk
             - WalkDir
 summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath
 description: |-
     The filepath package does not recognize paths with a \??\ prefix as special. On
     Windows, a path beginning with \??\ is a Root Local Device path equivalent to a
     path beginning with \\?\. Paths with a \??\ prefix may be used to access
     arbitrary locations on the system. For example, the path \??\c:\x is equivalent
     to the more common path c:\x. Before fix, Clean could convert a rooted path such
     as \a\..\??\b into the root local device path \??\b. Clean will now convert this
     to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence
     of path elements into the root local device path \??\b. Join will now convert
     this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths
     beginning with \??\ as absolute, and VolumeName correctly reports the \??\
     prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed
     the definition of the volume name in Windows paths starting with \?, resulting
     in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other
     effects). The previous behavior has been restored.
 references:
     - report: https://go.dev/issue/63713
     - fix: https://go.dev/cl/540277
     - web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
     - report: https://go.dev/issue/64028
     - fix: https://go.dev/cl/541175
     - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
     - web: http://www.openwall.com/lists/oss-security/2023/12/05/2
 cve_metadata:
     id: CVE-2023-45283
     cwe: 'CWE-41: Improper Resolution of Path Equivalence'
 source:
     id: CVE-2023-45283
	Copyright 2024 The Go Authors. All rights reserved.
	Use of this source code is governed by a BSD-style
	license that can be found in the LICENSE file.

	Expected output of TestCVE5ToReport/CVE-2023-45283.

	-- CVE-2023-45283 --
	id: PLACEHOLDER-ID
	modules:
	- module: std
	versions:
	- fixed: 1.20.11
	- introduced: 1.21.0-0
	fixed: 1.21.4
	packages:
	- package: internal/safefilepath
	goos:
	- windows
	symbols:
	- fromFS
	- FromFS
	- module: std
	versions:
	- fixed: 1.20.11
	- introduced: 1.20.11
	fixed: 1.20.12
	- introduced: 1.21.0-0
	fixed: 1.21.4
	- introduced: 1.21.4
	fixed: 1.21.5
	packages:
	- package: path/filepath
	goos:
	- windows
	symbols:
	- Clean
	- volumeNameLen
	- join
	- Abs
	- Base
	- Dir
	- EvalSymlinks
	- Glob
	- IsLocal
	- Join
	- Rel
	- Split
	- VolumeName
	- Walk
	- WalkDir
	summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath
	description: \|-
	The filepath package does not recognize paths with a \??\ prefix as special. On
	Windows, a path beginning with \??\ is a Root Local Device path equivalent to a
	path beginning with \\?\. Paths with a \??\ prefix may be used to access
	arbitrary locations on the system. For example, the path \??\c:\x is equivalent
	to the more common path c:\x. Before fix, Clean could convert a rooted path such
	as \a\..\??\b into the root local device path \??\b. Clean will now convert this
	to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence
	of path elements into the root local device path \??\b. Join will now convert
	this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths
	beginning with \??\ as absolute, and VolumeName correctly reports the \??\
	prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed
	the definition of the volume name in Windows paths starting with \?, resulting
	in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other
	effects). The previous behavior has been restored.
	references:
	- report: https://go.dev/issue/63713
	- fix: https://go.dev/cl/540277
	- web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
	- report: https://go.dev/issue/64028
	- fix: https://go.dev/cl/541175
	- web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
	- web: http://www.openwall.com/lists/oss-security/2023/12/05/2
	cve_metadata:
	id: CVE-2023-45283
	cwe: 'CWE-41: Improper Resolution of Path Equivalence'
	source:
	id: CVE-2023-45283