Bug 1206134 (CVE-2022-41720) - VUL-0: CVE-2022-41720: go1.18,go1.19: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
Summary: VUL-0: CVE-2022-41720: go1.18,go1.19: os, net/http: avoid escapes from os.Dir...
Status: RESOLVED INVALID
Alias: CVE-2022-41720
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/349976/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-07 07:41 UTC by Jeff Kowalczyk
Modified: 2024-03-27 14:40 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2022-12-07 07:41:24 UTC 
The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.

The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.
Comment 1 Thomas Leroy 2022-12-07 08:57:59 UTC 
Thanks for the report Jeff. This one only affects Windows, we can close it
Comment 2 OBSbugzilla Bot 2022-12-07 21:45:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1206134) was mentioned in
https://build.opensuse.org/request/show/1041234 Factory / go1.18
https://build.opensuse.org/request/show/1041235 Factory / go1.19
Comment 4 Swamp Workflow Management 2022-12-09 20:21:13 UTC 
SUSE-SU-2022:4397-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200441,1206134,1206135
CVE References: CVE-2022-41717,CVE-2022-41720
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.19-1.19.4-150000.1.18.1
openSUSE Leap 15.3 (src):    go1.19-1.19.4-150000.1.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.19-1.19.4-150000.1.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.19-1.19.4-150000.1.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-12-09 20:22:09 UTC 
SUSE-SU-2022:4398-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1193742,1206134,1206135
CVE References: CVE-2022-41717,CVE-2022-41720
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.9-150000.1.40.1
openSUSE Leap 15.3 (src):    go1.18-1.18.9-150000.1.40.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.9-150000.1.40.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.9-150000.1.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-03-22 16:30:04 UTC 
SUSE-SU-2023:0871-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1200441, 1206134, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Sources used:
Containers Module 15-SP4 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Enterprise Storage 7.1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Enterprise Storage 7 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE CaaS Platform 4.0 (src): container-suseconnect-2.4.0-150000.4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-05-30 08:30:07 UTC 
SUSE-SU-2023:2312-1: An update that solves 28 vulnerabilities, contains one feature and has three fixes can now be installed.

Category: security (important)
Bug References: 1183043, 1193742, 1198423, 1198424, 1198427, 1199413, 1200134, 1200135, 1200136, 1200137, 1201434, 1201436, 1201437, 1201440, 1201443, 1201444, 1201445, 1201447, 1201448, 1202035, 1203185, 1204023, 1204024, 1204025, 1204941, 1206134, 1206135, 1208270, 1208271, 1208272, 1208491
CVE References: CVE-2022-1705, CVE-2022-1962, CVE-2022-24675, CVE-2022-27536, CVE-2022-27664, CVE-2022-28131, CVE-2022-28327, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
openSUSE Leap 15.5 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
Development Tools Module 15-SP4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Enterprise Storage 7.1 (src): go1.18-openssl-1.18.10.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.