security: fix CVE-2022-41722 [1.19 backport] #57275

gopherbot · 2022-12-13T00:52:34Z

@neild requested issue #57274 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues. This is a security fix.

rolandshoemaker · 2023-02-06T20:12:42Z

Manually bumping because backports were opened before 1.20 was released.

gopherbot · 2023-02-14T16:39:33Z

Change https://go.dev/cl/468115 mentions this issue: [release-branch.go1.19] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

… c:\b on Windows Do not permit Clean to convert a relative path into one starting with a drive reference. This change causes Clean to insert a . path element at the start of a path when the original path does not start with a volume name, and the first path element would contain a colon. This may introduce a spurious but harmless . path element under some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. This reverts CL 401595, since the change here supersedes the one in that CL. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. Updates #57274 Fixes #57275 Fixes CVE-2022-41722 Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> (cherry picked from commit 780dfa043ff5192c37de0d6fd1053a66b2b9f378) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728206 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468115 Reviewed-by: Than McIntosh <thanm@google.com> Run-TryBot: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com>

gopherbot · 2023-02-14T17:27:20Z

Closed by merging 3345ddc to release-branch.go1.19.

gopherbot added the CherryPickCandidate Used during the release process for point releases label Dec 13, 2022

gopherbot mentioned this issue Dec 13, 2022

path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) #57274

Closed

gopherbot added this to the Go1.18.10 milestone Dec 13, 2022

heschi added the Security label Jan 4, 2023

gopherbot modified the milestones: Go1.18.10, Go1.18.11 Jan 10, 2023

rolandshoemaker modified the milestones: Go1.18.11, Go1.19.6 Feb 6, 2023

rolandshoemaker changed the title ~~security: fix CVE-2022-41722 [1.18 backport]~~ security: fix CVE-2022-41722 [1.19 backport] Feb 6, 2023

dr2chase added the CherryPickApproved Used during the release process for point releases label Feb 8, 2023

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Feb 8, 2023

gopherbot closed this as completed Feb 14, 2023

golang locked and limited conversation to collaborators Feb 14, 2024

gopherbot added the FrozenDueToAge label Feb 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: fix CVE-2022-41722 [1.19 backport] #57275

security: fix CVE-2022-41722 [1.19 backport] #57275

gopherbot commented Dec 13, 2022 •

edited by rolandshoemaker

rolandshoemaker commented Feb 6, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023

security: fix CVE-2022-41722 [1.19 backport] #57275

security: fix CVE-2022-41722 [1.19 backport] #57275

Comments

gopherbot commented Dec 13, 2022 • edited by rolandshoemaker

rolandshoemaker commented Feb 6, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Dec 13, 2022 •

edited by rolandshoemaker