Skip to content

Commit

Permalink
data/reports: add GO-2023-2185.yaml
Browse files Browse the repository at this point in the history 
Aliases: CVE-2023-45283

Updates #2185

Change-Id: Idc0d3d7b0a969f61721288011fa40c7de679cf4e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/540717
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
  • Loading branch information
@tatianab
tatianab committed Nov 8, 2023
1 parent 8f8dd86 commit bfa4654
Show file tree
Hide file tree
Showing 3 changed files with 303 additions and 0 deletions.
150 changes: 150 additions & 0 deletions data/cve/v5/GO-2023-2185.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.0",
"cveMetadata": {
"cveId": "CVE-2023-45283"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
},
"title": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath",
"descriptions": [
{
"lang": "en",
"value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name."
}
],
"affected": [
{
"vendor": "Go standard library",
"product": "path/filepath",
"collectionURL": "https://pkg.go.dev",
"packageName": "path/filepath",
"versions": [
{
"version": "0",
"lessThan": "1.20.11",
"status": "affected",
"versionType": "semver"
},
{
"version": "1.21.0-0",
"lessThan": "1.21.4",
"status": "affected",
"versionType": "semver"
}
],
"platforms": [
"windows"
],
"programRoutines": [
{
"name": "Clean"
},
{
"name": "volumeNameLen"
},
{
"name": "join"
},
{
"name": "Abs"
},
{
"name": "Base"
},
{
"name": "Dir"
},
{
"name": "EvalSymlinks"
},
{
"name": "Glob"
},
{
"name": "IsLocal"
},
{
"name": "Join"
},
{
"name": "Rel"
},
{
"name": "Split"
},
{
"name": "VolumeName"
},
{
"name": "Walk"
},
{
"name": "WalkDir"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Go standard library",
"product": "internal/safefilepath",
"collectionURL": "https://pkg.go.dev",
"packageName": "internal/safefilepath",
"versions": [
{
"version": "0",
"lessThan": "1.20.11",
"status": "affected",
"versionType": "semver"
},
{
"version": "1.21.0-0",
"lessThan": "1.21.4",
"status": "affected",
"versionType": "semver"
}
],
"platforms": [
"windows"
],
"programRoutines": [
{
"name": "fromFS"
},
{
"name": "FromFS"
}
],
"defaultStatus": "unaffected"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-41: Improper Resolution of Path Equivalence"
}
]
}
],
"references": [
{
"url": "https://go.dev/issue/63713"
},
{
"url": "https://go.dev/cl/540277"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2185"
}
]
}
}
}
92 changes: 92 additions & 0 deletions data/osv/GO-2023-2185.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
"schema_version": "1.3.1",
"id": "GO-2023-2185",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-45283"
],
"summary": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath",
"details": "The filepath package does not recognize paths with a \\??\\ prefix as special.\n\nOn Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x.\n\nBefore fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b.\n\nSimilarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b.\n\nIn addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.11"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.4"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "path/filepath",
"goos": [
"windows"
],
"symbols": [
"Abs",
"Base",
"Clean",
"Dir",
"EvalSymlinks",
"Glob",
"IsLocal",
"Join",
"Rel",
"Split",
"VolumeName",
"Walk",
"WalkDir",
"join",
"volumeNameLen"
]
},
{
"path": "internal/safefilepath",
"goos": [
"windows"
],
"symbols": [
"FromFS",
"fromFS"
]
}
]
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://go.dev/issue/63713"
},
{
"type": "FIX",
"url": "https://go.dev/cl/540277"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2185"
}
}
61 changes: 61 additions & 0 deletions data/reports/GO-2023-2185.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
id: GO-2023-2185
modules:
- module: std
versions:
- fixed: 1.20.11
- introduced: 1.21.0-0
fixed: 1.21.4
vulnerable_at: 1.21.3
packages:
- package: path/filepath
goos:
- windows
symbols:
- Clean
- volumeNameLen
- join
derived_symbols:
- Abs
- Base
- Dir
- EvalSymlinks
- Glob
- IsLocal
- Join
- Rel
- Split
- VolumeName
- Walk
- WalkDir
- package: internal/safefilepath
goos:
- windows
symbols:
- fromFS
derived_symbols:
- FromFS
summary: Insecure parsing of Windows paths with a \??\ prefix in path/filepath
description: |-
The filepath package does not recognize paths with a \??\ prefix as special.
On Windows, a path beginning with \??\ is a Root Local Device path equivalent to
a path beginning with \\?\. Paths with a \??\ prefix may be used to access
arbitrary locations on the system. For example, the path \??\c:\x is equivalent
to the more common path c:\x.
Before fix, Clean could convert a rooted path such as \a\..\??\b into the root
local device path \??\b. Clean will now convert this to .\??\b.
Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path
elements into the root local device path \??\b. Join will now convert this to
\.\??\b.
In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as
absolute, and VolumeName correctly reports the \??\ prefix as a volume name.
references:
- report: https://go.dev/issue/63713
- fix: https://go.dev/cl/540277
- web: https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
cve_metadata:
id: CVE-2023-45283
cwe: 'CWE-41: Improper Resolution of Path Equivalence'

0 comments on commit bfa4654

Please sign in to comment.