data/reports/GO-2023-2185.yaml - vulndb - Git at Google

 id: GO-2023-2185
 modules:
     - module: std
       versions:
         - fixed: 1.20.11
         - introduced: 1.21.0-0
           fixed: 1.21.4
       vulnerable_at: 1.21.3
       packages:
         - package: path/filepath
           goos:
             - windows
           symbols:
             - Clean
             - volumeNameLen
             - join
           derived_symbols:
             - Abs
             - Base
             - Dir
             - EvalSymlinks
             - Glob
             - IsLocal
             - Join
             - Rel
             - Split
             - VolumeName
             - Walk
             - WalkDir
         - package: internal/safefilepath
           goos:
             - windows
           symbols:
             - fromFS
           derived_symbols:
             - FromFS
     - module: std
       versions:
         - introduced: 1.20.11
           fixed: 1.20.12
         - introduced: 1.21.4
           fixed: 1.21.5
       vulnerable_at: 1.21.4
       packages:
         - package: path/filepath
           goos:
             - windows
           symbols:
             - volumeNameLen
           derived_symbols:
             - Abs
             - Base
             - Clean
             - Dir
             - EvalSymlinks
             - Glob
             - IsLocal
             - Join
             - Rel
             - Split
             - VolumeName
             - Walk
             - WalkDir
 summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath
 description: |-
     The filepath package does not recognize paths with a \??\ prefix as special.

     On Windows, a path beginning with \??\ is a Root Local Device path equivalent to
     a path beginning with \\?\. Paths with a \??\ prefix may be used to access
     arbitrary locations on the system. For example, the path \??\c:\x is equivalent
     to the more common path c:\x.

     Before fix, Clean could convert a rooted path such as \a\..\??\b into the root
     local device path \??\b. Clean will now convert this to .\??\b.

     Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path
     elements into the root local device path \??\b. Join will now convert this to
     \.\??\b.

     In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as
     absolute, and VolumeName correctly reports the \??\ prefix as a volume name.

     UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
     volume name in Windows paths starting with \?, resulting in
     filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects).
     The previous behavior has been restored.
 references:
     - report: https://go.dev/issue/63713
     - fix: https://go.dev/cl/540277
     - web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
     - report: https://go.dev/issue/64028
     - fix: https://go.dev/cl/541175
     - web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
 cve_metadata:
     id: CVE-2023-45283
     cwe: 'CWE-41: Improper Resolution of Path Equivalence'
     references:
         - http://www.openwall.com/lists/oss-security/2023/12/05/2
         - https://security.netapp.com/advisory/ntap-20231214-0008/
	id: GO-2023-2185
	modules:
	- module: std
	versions:
	- fixed: 1.20.11
	- introduced: 1.21.0-0
	fixed: 1.21.4
	vulnerable_at: 1.21.3
	packages:
	- package: path/filepath
	goos:
	- windows
	symbols:
	- Clean
	- volumeNameLen
	- join
	derived_symbols:
	- Abs
	- Base
	- Dir
	- EvalSymlinks
	- Glob
	- IsLocal
	- Join
	- Rel
	- Split
	- VolumeName
	- Walk
	- WalkDir
	- package: internal/safefilepath
	goos:
	- windows
	symbols:
	- fromFS
	derived_symbols:
	- FromFS
	- module: std
	versions:
	- introduced: 1.20.11
	fixed: 1.20.12
	- introduced: 1.21.4
	fixed: 1.21.5
	vulnerable_at: 1.21.4
	packages:
	- package: path/filepath
	goos:
	- windows
	symbols:
	- volumeNameLen
	derived_symbols:
	- Abs
	- Base
	- Clean
	- Dir
	- EvalSymlinks
	- Glob
	- IsLocal
	- Join
	- Rel
	- Split
	- VolumeName
	- Walk
	- WalkDir
	summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath
	description: \|-
	The filepath package does not recognize paths with a \??\ prefix as special.

	On Windows, a path beginning with \??\ is a Root Local Device path equivalent to
	a path beginning with \\?\. Paths with a \??\ prefix may be used to access
	arbitrary locations on the system. For example, the path \??\c:\x is equivalent
	to the more common path c:\x.

	Before fix, Clean could convert a rooted path such as \a\..\??\b into the root
	local device path \??\b. Clean will now convert this to .\??\b.

	Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path
	elements into the root local device path \??\b. Join will now convert this to
	\.\??\b.

	In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as
	absolute, and VolumeName correctly reports the \??\ prefix as a volume name.

	UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
	volume name in Windows paths starting with \?, resulting in
	filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects).
	The previous behavior has been restored.
	references:
	- report: https://go.dev/issue/63713
	- fix: https://go.dev/cl/540277
	- web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
	- report: https://go.dev/issue/64028
	- fix: https://go.dev/cl/541175
	- web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
	cve_metadata:
	id: CVE-2023-45283
	cwe: 'CWE-41: Improper Resolution of Path Equivalence'
	references:
	- http://www.openwall.com/lists/oss-security/2023/12/05/2
	- https://security.netapp.com/advisory/ntap-20231214-0008/