Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 878389 (CVE-2022-41716)

Summary: dev-lang/go: Windows environment variable mishandling
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ?? [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-26 17:12:46 UTC
"We plan to issue Go 1.19.3 and Go 1.18.8 on Tuesday, November 1.

These minor releases include PRIVATE security fixes to the standard library."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-01 17:35:40 UTC
"These minor releases include 1 security fixes following the security policy <>:

-       syscall, os/exec: unsanitized NUL in environment variables

        On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this
+behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".

        Thanks to RyotaK ( for reporting this issue.

        This is CVE-2022-41716 and Go issue"

Only Windows.