Bug 1199413 - (CVE-2022-29526) VUL-0: CVE-2022-29526: go1.17,go1.18: syscall: Faccessat checks wrong group
(CVE-2022-29526)
VUL-0: CVE-2022-29526: go1.17,go1.18: syscall: Faccessat checks wrong group
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE Tumbleweed
: P3 - Medium : Normal
: ---
Assigned To: Jeff Kowalczyk
Security Team bot
CVSSv3.1:SUSE:CVE-2022-29526:6.2:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-11 03:07 UTC by Jeff Kowalczyk
Modified: 2022-05-26 16:17 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-05-11 03:07:54 UTC
When called with a non-zero flags parameter, the syscall Faccessat function could incorrectly report that a file is accessible.

Thanks to Joël Gähwiler (@256dpi) for reporting this.

This is CVE-2022-29526 and https://go.dev/issue/52313.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526
Comment 2 OBSbugzilla Bot 2022-05-11 06:40:13 UTC
This is an autogenerated message for OBS integration:
This bug (1199413) was mentioned in
https://build.opensuse.org/request/show/976172 Factory / go1.17
https://build.opensuse.org/request/show/976173 Factory / go1.18
Comment 3 Hu 2022-05-11 09:12:00 UTC
I think these are affected as well:
 - SUSE:SLE-15:Update/go1.15   1.15.15
 - openSUSE:Factory/go1.15     1.15.15
 - SUSE:SLE-15:Update/go1.16   1.16.15
 - openSUSE:Factory/go1.16     1.16.15
Comment 4 Marcus Meissner 2022-05-11 09:31:04 UTC
in SLE we only maintain the 2 newest go versions (go1.18 and go1.17).
Comment 5 Swamp Workflow Management 2022-05-24 13:18:45 UTC
SUSE-SU-2022:1829-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1193742,1199413
CVE References: CVE-2022-29526
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.2-150000.1.17.1
openSUSE Leap 15.3 (src):    go1.18-1.18.2-150000.1.17.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.2-150000.1.17.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.2-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-05-26 16:17:17 UTC
SUSE-SU-2022:1862-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1199413
CVE References: CVE-2022-29526
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.17-1.17.10-150000.1.34.1
openSUSE Leap 15.3 (src):    go1.17-1.17.10-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.17-1.17.10-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.10-150000.1.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.