Bug 2084085 (CVE-2022-29526)

Summary: CVE-2022-29526 golang: syscall: faccessat checks wrong group
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, amackenz, amasferr, amctagga, amurdaca, aoconnor, asm, bcoca, bdettelb, bmontgom, bniver, chazlett, chousekn, cmeyers, davidn, dbenoit, deparker, dwd, dwhatley, dymurray, eglynn, emachado, eparis, fdeutsch, flucifre, gblomqui, gmeno, gparvin, ibolton, jakob, jburrell, jcajka, jcammara, jhardy, jjoyce, jmatthew, jmontleo, jobarker, joelsmith, jokerman, jramanat, jwendell, lemenkov, lmadsen, mabashia, madam, maszulik, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mkudlej, mrunge, njean, nobody, notting, nstielau, ocs-bugs, osapryki, ovanders, pahickey, pbhattac, rcernich, relrod, rpetrell, scorneli, sdoran, sipoyare, slucidi, smcdonal, sostapov, sponnaga, spower, sseago, stcannon, sttts, tjochec, tkuratom, tnielsen, tstellar, twalsh, vereddy, vkumar, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.17.10, go 1.18.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-03 12:25:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2089158, 2089159, 2092754, 2093091, 2093092, 2093093, 2093094, 2095538, 2095539, 2095540, 2095541, 2095542, 2095543, 2095544, 2095545, 2095546, 2095547, 2095548, 2095549, 2095550, 2095551, 2095552, 2095553, 2095554, 2095555, 2095556, 2095557, 2095558, 2095559, 2095560, 2095561, 2095562, 2095563, 2095564, 2095565, 2095566, 2095567, 2095568, 2095569, 2095571, 2095853, 2095855, 2095857, 2095860, 2095861, 2095863, 2095865, 2095867, 2095868, 2095869, 2095870, 2095872, 2095873, 2095875, 2095876, 2095878, 2095880, 2095881, 2095882, 2095883, 2095885, 2095886, 2095887, 2096470, 2110022, 2168805    
Bug Blocks: 2084220    

Description TEJ RATHI 2022-05-11 10:58:07 UTC 
We have just released Go versions 1.18.2 and 1.17.10, minor point releases.
These minor releases include one security fix following the security policy:

When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

References:
https://go.dev/issue/52313
https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU

Commits:
Master : https://github.com/golang/go/commit/f66925e854e71e0c54b581885380a490d7afa30c
Branch.go1.17 : https://github.com/golang/go/commit/04781d14d2d33acbaf70f77e3a58ae0f3c90757c
Branch.go1.18 : https://github.com/golang/go/commit/c0599c5b781de023974519194df6b0c4ebb0adff
Comment 3 Anten Skrabec 2022-06-02 21:59:44 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2093091]
Affects: fedora-all [bug 2093092]
Comment 8 errata-xmlrpc 2022-06-27 17:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:5201 https://access.redhat.com/errata/RHSA-2022:5201
Comment 9 errata-xmlrpc 2022-06-28 15:16:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5337 https://access.redhat.com/errata/RHSA-2022:5337
Comment 10 errata-xmlrpc 2022-06-28 17:06:23 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392
Comment 12 errata-xmlrpc 2022-07-28 14:44:01 UTC 
This issue has been addressed in the following products:

  OSSO-1.0-RHEL-8

Via RHSA-2022:5699 https://access.redhat.com/errata/RHSA-2022:5699
Comment 13 errata-xmlrpc 2022-08-02 07:45:24 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:5840 https://access.redhat.com/errata/RHSA-2022:5840
Comment 16 errata-xmlrpc 2022-08-24 13:48:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 17 errata-xmlrpc 2022-08-31 16:56:16 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
Comment 18 Product Security DevOps Team 2022-09-03 12:25:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29526
Comment 19 errata-xmlrpc 2022-09-26 15:26:59 UTC 
This issue has been addressed in the following products:

  RHACS-3.72-RHEL-8

Via RHSA-2022:6714 https://access.redhat.com/errata/RHSA-2022:6714
Comment 20 errata-xmlrpc 2023-01-24 13:34:36 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 22 errata-xmlrpc 2023-03-30 00:42:57 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 23 errata-xmlrpc 2023-06-15 16:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642