Bug 1200136 - (CVE-2022-30580) VUL-0: CVE-2022-30580: go1.17,go1.18: os/exec: empty Cmd.Path can result in running unintended binary on Windows
(CVE-2022-30580)
VUL-0: CVE-2022-30580: go1.17,go1.18: os/exec: empty Cmd.Path can result in r...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-01 22:51 UTC by Jeff Kowalczyk
Modified: 2022-06-07 19:23 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-06-01 22:51:51 UTC
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.

Thanks to Chris Darroch (chris...@github.com), brian m. carlson (bk2...@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3) for reporting this.

This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.
Comment 2 OBSbugzilla Bot 2022-06-02 02:40:09 UTC
This is an autogenerated message for OBS integration:
This bug (1200136) was mentioned in
https://build.opensuse.org/request/show/980419 Factory / go1.17
https://build.opensuse.org/request/show/980420 Factory / go1.18
Comment 3 Swamp Workflow Management 2022-06-07 19:22:50 UTC
SUSE-SU-2022:2005-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1193742,1200134,1200135,1200136,1200137
CVE References: CVE-2022-29804,CVE-2022-30580,CVE-2022-30629,CVE-2022-30634
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.3-150000.1.20.1
openSUSE Leap 15.3 (src):    go1.18-1.18.3-150000.1.20.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.3-150000.1.20.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.3-150000.1.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-06-07 19:23:51 UTC
SUSE-SU-2022:2004-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1190649,1200134,1200135,1200136,1200137
CVE References: CVE-2022-29804,CVE-2022-30580,CVE-2022-30629,CVE-2022-30634
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.17-1.17.11-150000.1.37.1
openSUSE Leap 15.3 (src):    go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.17-1.17.11-150000.1.37.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.11-150000.1.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.