Bugzilla – Bug 1216943
VUL-0: CVE-2023-45283: go1.20,go1.21: path/filepath: recognize \??\ as a Root Local Device path prefix
Last modified: 2024-06-10 09:16:34 UTC
On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. The filepath package did not recognize paths with a \??\ prefix as special. Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. It will now convert this path into .\??\b. IsAbs did not report paths beginning with \??\ as absolute. It now does so. VolumeName now reports the \??\ prefix as a volume name. Join(`\`, `??`, `b`) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. It will now convert this to \.\??\b. This is CVE-2023-45283 and https://go.dev/issue/63713.
This is an autogenerated message for OBS integration: This bug (1216943) was mentioned in https://build.opensuse.org/request/show/1124118 Factory / go1.20 https://build.opensuse.org/request/show/1124119 Factory / go1.21
SUSE-SU-2023:4472-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1206346, 1215985, 1216109, 1216943, 1216944 CVE References: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284 Sources used: openSUSE Leap 15.4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 openSUSE Leap 15.5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4471-1: An update that solves two vulnerabilities and has one security fix can now be installed. Category: security (moderate) Bug References: 1212475, 1216943, 1216944 CVE References: CVE-2023-45283, CVE-2023-45284 Sources used: openSUSE Leap 15.4 (src): go1.21-1.21.4-150000.1.15.1 openSUSE Leap 15.5 (src): go1.21-1.21.4-150000.1.15.1 Development Tools Module 15-SP4 (src): go1.21-1.21.4-150000.1.15.1 Development Tools Module 15-SP5 (src): go1.21-1.21.4-150000.1.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4470-1: An update that solves two vulnerabilities and has one security fix can now be installed. Category: security (moderate) Bug References: 1206346, 1216943, 1216944 CVE References: CVE-2023-45283, CVE-2023-45284 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.11-150000.1.32.1 openSUSE Leap 15.5 (src): go1.20-1.20.11-150000.1.32.1 Development Tools Module 15-SP4 (src): go1.20-1.20.11-150000.1.32.1 Development Tools Module 15-SP5 (src): go1.20-1.20.11-150000.1.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed. Category: security (moderate) Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944 CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284 Jira References: SLE-18320 Sources used: openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Related update from Go upstream for go1.20.12 and go1.21.5: path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.
This is an autogenerated message for OBS integration: This bug (1216943) was mentioned in https://build.opensuse.org/request/show/1131274 Factory / go1.20 https://build.opensuse.org/request/show/1131275 Factory / go1.21
SUSE-SU-2023:4709-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: openSUSE Leap 15.4 (src): go1.21-1.21.5-150000.1.18.1 openSUSE Leap 15.5 (src): go1.21-1.21.5-150000.1.18.1 Development Tools Module 15-SP4 (src): go1.21-1.21.5-150000.1.18.1 Development Tools Module 15-SP5 (src): go1.21-1.21.5-150000.1.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4708-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1206346, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.12-150000.1.35.1 openSUSE Leap 15.5 (src): go1.20-1.20.12-150000.1.35.1 Development Tools Module 15-SP4 (src): go1.20-1.20.12-150000.1.35.1 Development Tools Module 15-SP5 (src): go1.20-1.20.12-150000.1.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4931-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4930-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1206346, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: openSUSE Leap 15.4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 openSUSE Leap 15.5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing