Bug 1216943 (CVE-2023-45283)

Summary: VUL-0: CVE-2023-45283: go1.20,go1.21: path/filepath: recognize \??\ as a Root Local Device path prefix
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jkowalczyk, meissner, rfrohl, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/384284/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-45283:6.8:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2023-11-07 21:13:57 UTC 
On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x.

The filepath package did not recognize paths with a \??\ prefix as special.

Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. It will now convert this path into .\??\b.

IsAbs did not report paths beginning with \??\ as absolute. It now does so.

VolumeName now reports the \??\ prefix as a volume name.

Join(`\`, `??`, `b`) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. It will now convert this to \.\??\b.

This is CVE-2023-45283 and https://go.dev/issue/63713.
Comment 1 OBSbugzilla Bot 2023-11-07 22:25:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1216943) was mentioned in
https://build.opensuse.org/request/show/1124118 Factory / go1.20
https://build.opensuse.org/request/show/1124119 Factory / go1.21
Comment 4 Maintenance Automation 2023-11-16 20:30:01 UTC 
SUSE-SU-2023:4472-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1206346, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Sources used:
openSUSE Leap 15.4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
openSUSE Leap 15.5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-11-16 20:30:05 UTC 
SUSE-SU-2023:4471-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1212475, 1216943, 1216944
CVE References: CVE-2023-45283, CVE-2023-45284
Sources used:
openSUSE Leap 15.4 (src): go1.21-1.21.4-150000.1.15.1
openSUSE Leap 15.5 (src): go1.21-1.21.4-150000.1.15.1
Development Tools Module 15-SP4 (src): go1.21-1.21.4-150000.1.15.1
Development Tools Module 15-SP5 (src): go1.21-1.21.4-150000.1.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-11-16 20:30:08 UTC 
SUSE-SU-2023:4470-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1206346, 1216943, 1216944
CVE References: CVE-2023-45283, CVE-2023-45284
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.11-150000.1.32.1
openSUSE Leap 15.5 (src): go1.20-1.20.11-150000.1.32.1
Development Tools Module 15-SP4 (src): go1.20-1.20.11-150000.1.32.1
Development Tools Module 15-SP5 (src): go1.20-1.20.11-150000.1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-11-16 20:30:12 UTC 
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Jira References: SLE-18320
Sources used:
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Jeff Kowalczyk 2023-12-06 06:32:06 UTC 
Related update from Go upstream for go1.20.12 and go1.21.5:

path/filepath: retain trailing \ when cleaning paths like \\?\c:\

Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored.

This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.
Comment 10 OBSbugzilla Bot 2023-12-06 08:25:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1216943) was mentioned in
https://build.opensuse.org/request/show/1131274 Factory / go1.20
https://build.opensuse.org/request/show/1131275 Factory / go1.21
Comment 12 Maintenance Automation 2023-12-11 20:36:21 UTC 
SUSE-SU-2023:4709-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
openSUSE Leap 15.4 (src): go1.21-1.21.5-150000.1.18.1
openSUSE Leap 15.5 (src): go1.21-1.21.5-150000.1.18.1
Development Tools Module 15-SP4 (src): go1.21-1.21.5-150000.1.18.1
Development Tools Module 15-SP5 (src): go1.21-1.21.5-150000.1.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-12-11 20:36:24 UTC 
SUSE-SU-2023:4708-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1206346, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.12-150000.1.35.1
openSUSE Leap 15.5 (src): go1.20-1.20.12-150000.1.35.1
Development Tools Module 15-SP4 (src): go1.20-1.20.12-150000.1.35.1
Development Tools Module 15-SP5 (src): go1.20-1.20.12-150000.1.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-12-20 16:30:06 UTC 
SUSE-SU-2023:4931-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-12-20 16:30:09 UTC 
SUSE-SU-2023:4930-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1206346, 1216943, 1217833, 1217834
CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285
Sources used:
openSUSE Leap 15.4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1
openSUSE Leap 15.5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1
Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1
Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Robert Frohl 2024-06-10 09:15:16 UTC 
done, closing