Bug 1203186 (CVE-2022-32190)

Summary: VUL-0: CVE-2022-32190: go1.19: net/url: JoinPath does not strip relative path components in all circumstances
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andreas.taschner, meissner, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/341667/
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2022-09-06 23:24:10 UTC
JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result.

Thanks to @q0jt for reporting this issue.

This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

net/url JoinPath() is new in go1.19. go1.18 and earlier are not affected.
Comment 1 OBSbugzilla Bot 2022-09-07 01:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1203186) was mentioned in
https://build.opensuse.org/request/show/1001534 Factory / go1.19
Comment 3 Swamp Workflow Management 2022-09-21 16:24:58 UTC
SUSE-SU-2022:3326-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1200441,1203185,1203186
CVE References: CVE-2022-27664,CVE-2022-32190
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.19-1.19.1-150000.1.9.1
openSUSE Leap 15.3 (src):    go1.19-1.19.1-150000.1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.19-1.19.1-150000.1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.19-1.19.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.