2161271 – (CVE-2022-41720) CVE-2022-41720 golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

Bug 2161271 (CVE-2022-41720) - CVE-2022-41720 golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

Summary: CVE-2022-41720 golang: os, net/http: avoid escapes from os.DirFS and http.Dir...

Keywords:
Status:	NEW
Alias:	CVE-2022-41720
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2161431 2161432
Blocks:	2161276
TreeView+	depends on / blocked

Reported:	2023-01-16 12:43 UTC by Avinash Hanwate
Modified:	2024-03-02 05:32 UTC (History)
CC List:	129 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in OS, net/http golang library. In Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted in a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With the fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-01-16 12:43:56 UTC

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
https://pkg.go.dev/vuln/GO-2022-1143
https://go.dev/cl/455716
https://go.dev/issue/56694

Comment 2 Anten Skrabec 2023-01-16 22:34:26 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2161431]
Affects: fedora-all [bug 2161432]

Note You need to log in before you can comment on or make changes to this bug.

aazores
abishop
amackenz
amasferr
amctagga
ansmith
aoconnor
asm
bbaude
bbuckingham
bcl
bcoca
bcourt
bdettelb
bkundu
bniver
bodavis
chazlett
davidn
dbenoit
debarshir
desktop-qa-list
dwalsh
dymurray
eaguilar
ebaron
eglynn
ehelms
ellin
emachado
epacific
fdeutsch
flucifre
gmeno
gparvin
grafana-maint
ibolton
jaharrin
jburrell
jcammara
jcantril
jchui
jeder
jhardy
jjoyce
jkang
jkurik
jligon
jmatthew
jmontleo
jneedle
jnovy
jobarker
joelsmith
jpallich
jross
jscholz
jsherril
jwendell
jwon
lball
lhh
lmadsen
lsm5
lzap
mabashia
matzew
mbenjamin
mboddu
mburns
mgarciac
mhackett
mheon
mhulan
mkudlej
mmagr
mrunge
mwringe
nathans
nboldt
njean
nmoumoul
nobody
opohorel
orabin
oramraz
osapryki
osbuilders
oskutka
owatkins
pahickey
pcreech
pehunt
periklis
pjindal
pthomas
rcernich
rchan
rgarg
rhcos-sst
rhos-maint
rhuss
saroy
scorneli
sfroberg
sgott
shbose
simaishi
sipoyare
slucidi
smcdonal
smullick
sostapov
spower
sseago
stcannon
swoodman
teagle
tjochec
tstellar
tsweeney
twalsh
ubhargav
umohnani
vereddy
whayutin
yguenane
ytale
zsadeh