Bug 1200137 - (CVE-2022-29804) VUL-0: CVE-2022-29804: go1.17,go1.18: path/filepath: Clean(`.\c:`) returns `c:` on Windows
(CVE-2022-29804)
VUL-0: CVE-2022-29804: go1.17,go1.18: path/filepath: Clean(`.\c:`) returns `c...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-01 22:53 UTC by Jeff Kowalczyk
Modified: 2022-06-07 19:23 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-06-01 22:53:05 UTC
On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

Thanks to Unrud for reporting this issue.

This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
Comment 2 OBSbugzilla Bot 2022-06-02 02:40:10 UTC
This is an autogenerated message for OBS integration:
This bug (1200137) was mentioned in
https://build.opensuse.org/request/show/980419 Factory / go1.17
https://build.opensuse.org/request/show/980420 Factory / go1.18
Comment 3 Swamp Workflow Management 2022-06-07 19:22:54 UTC
SUSE-SU-2022:2005-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1193742,1200134,1200135,1200136,1200137
CVE References: CVE-2022-29804,CVE-2022-30580,CVE-2022-30629,CVE-2022-30634
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.3-150000.1.20.1
openSUSE Leap 15.3 (src):    go1.18-1.18.3-150000.1.20.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.3-150000.1.20.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.3-150000.1.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-06-07 19:23:55 UTC
SUSE-SU-2022:2004-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1190649,1200134,1200135,1200136,1200137
CVE References: CVE-2022-29804,CVE-2022-30580,CVE-2022-30629,CVE-2022-30634
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.17-1.17.11-150000.1.37.1
openSUSE Leap 15.3 (src):    go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.11-150000.1.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.