Bug 1208269 (CVE-2022-41722) - VUL-0: CVE-2022-41722: go1.19,go1.20: path/filepath: path traversal in filepath.Clean on Windows
Summary: VUL-0: CVE-2022-41722: go1.19,go1.20: path/filepath: path traversal in filepa...
Status: RESOLVED INVALID
Alias: CVE-2022-41722
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-15 05:39 UTC by Jeff Kowalczyk
Modified: 2024-03-27 14:40 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2023-02-15 05:39:06 UTC 
On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b.

Thanks to RyotaK (https://ryotak.net) for reporting this issue.

This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.
Comment 1 Thomas Leroy 2023-02-15 09:10:57 UTC 
Thanks Jeff for the report. This only affects Windows, let me close it
Comment 2 OBSbugzilla Bot 2023-02-16 08:25:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1208269) was mentioned in
https://build.opensuse.org/request/show/1066111 Factory / go1.19
Comment 5 Maintenance Automation 2023-03-14 20:30:05 UTC 
SUSE-SU-2023:0735-1: An update that solves five vulnerabilities, contains one feature and has one fix can now be installed.

Category: security (important)
Bug References: 1206346, 1208269, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.2-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.20-1.20.2-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-03-14 20:30:13 UTC 
SUSE-SU-2023:0733-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1200441, 1208269, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Sources used:
openSUSE Leap 15.4 (src): go1.19-1.19.7-150000.1.23.1
Development Tools Module 15-SP4 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Enterprise Storage 7.1 (src): go1.19-1.19.7-150000.1.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.