| packages: |
| - module: std |
| package: syscall |
| symbols: |
| - ForkExec |
| versions: |
| - fixed: 1.16.2 |
| - introduced: 1.17 |
| fixed: 1.17.5 |
| description: | |
| When a Go program running on a Unix system is out of file descriptors and |
| calls syscall.ForkExec (including indirectly by using the os/exec package), |
| syscall.ForkExec can close file descriptor 0 as it fails. If this happens |
| (or can be provoked) repeatedly, it can result in misdirected I/O such as |
| writing network traffic intended for one connection to a different |
| connection, or content intended for one file to a different one. |
| |
| For users who cannot immediately update to the new release, the bug can be |
| mitigated by raising the per-process file descriptor limit. |
| cves: |
| - CVE-2021-44717 |
| credit: Tomasz Maczukin and Kamil TrzciĆski of GitLab |
| links: |
| pr: https://go.dev/cl/370576/ |
| commit: https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2 |
| context: |
| - https://go.dev/issue/50057 |
| - https://groups.google.com/g/golang-announce/c/hcmEScgc00k |
| - https://go.dev/cl/370577/ |
| - https://go.dev/cl/370795/ |
| - https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html |
| - https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html |
