Bug 2124668 (CVE-2022-32190)

Summary: CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, adudiak, agerstmayr, alakatos, amackenz, amasferr, amctagga, amurdaca, ansmith, aoconnor, apevec, asm, bbaude, bbuckingham, bcl, bcoca, bcourt, bdettelb, bkundu, bniver, bodavis, btotty, chazlett, chousekn, cmeyers, cnv-qe-bugs, davidn, dbenoit, dcadzow, debarshir, deparker, desktop-qa-list, dkenigsb, dwalsh, dwd, dwhatley, dymurray, eduardo.ramalho, eglynn, ehelms, emachado, etamir, fdeutsch, flucifre, gblomqui, gmeno, go-sig, gparvin, grafana-maint, hchiramm, ibolton, jaharrin, jburrell, jcajka, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jligon, jmatthew, jmontleo, jmulligan, jnovy, jobarker, jpadman, jramanat, jsherril, jwendell, jwon, lball, lemenkov, lhh, lmadsen, lsm5, lzap, mabashia, madam, matzew, maxwell, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mmccune, mnewsome, mokumar, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, notting, ocs-bugs, opohorel, orabin, oramraz, osapryki, osbuilders, oskutka, ovanders, pahickey, pcreech, pehunt, periklis, pjindal, ploffay, pthomas, rcernich, rchan, relrod, rhcos-sst, rhos-maint, rhs-bugs, rhuss, rpetrell, rrajasek, rsroka, saroy, scorneli, sdoran, sgott, sipoyare, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, sttts, tfister, tjochec, tkuratom, tstellar, tsweeney, twalsh, umohnani, vereddy, vkumar, whayutin, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.19.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang package. The JoinPath doesn't remove the ../ path components appended to a domain that is not terminated by a slash, possibly leading to a directory traversal attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-08 18:33:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2127941, 2125778, 2126657, 2126658, 2126660, 2126662, 2126663, 2126664, 2126665, 2126666, 2126667, 2126668, 2126669, 2126670, 2126671, 2126672, 2126673, 2126674, 2126675, 2127942, 2130146, 2130147    
Bug Blocks: 2124673    

Description TEJ RATHI 2022-09-06 18:03:49 UTC 
JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result.

References:
https://go.dev/issue/54385
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ

Upstream Commits:
Master : https://github.com/golang/go/commit/0765da5884adcc8b744979303a36a27092d8fc51
Branch.go1.19 : https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec
Comment 4 Avinash Hanwate 2022-09-14 08:24:34 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2126657]
Affects: fedora-all [bug 2126658]
Comment 12 errata-xmlrpc 2022-11-28 02:51:55 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:8634 https://access.redhat.com/errata/RHSA-2022:8634
Comment 15 Product Security DevOps Team 2022-12-08 18:33:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32190
Comment 18 errata-xmlrpc 2023-01-17 19:37:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
Comment 19 errata-xmlrpc 2023-01-19 11:04:20 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
Comment 21 errata-xmlrpc 2023-02-09 02:17:42 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 22 errata-xmlrpc 2023-05-18 00:36:23 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204
Comment 23 errata-xmlrpc 2023-05-18 02:55:12 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 24 errata-xmlrpc 2023-05-18 14:27:39 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 25 errata-xmlrpc 2023-06-15 16:00:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 26 errata-xmlrpc 2023-06-22 19:51:45 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 27 errata-xmlrpc 2023-06-26 01:15:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
Comment 29 errata-xmlrpc 2024-01-31 16:18:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0485 https://access.redhat.com/errata/RHSA-2024:0485