Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 878389 (CVE-2022-41716) - dev-lang/go: Windows environment variable mishandling
Summary: dev-lang/go: Windows environment variable mishandling
Status: RESOLVED INVALID
Alias: CVE-2022-41716
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://groups.google.com/g/golang-an...
Whiteboard: ?? [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-26 17:12 UTC by John Helmert III
Modified: 2022-11-01 17:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-26 17:12:46 UTC
"We plan to issue Go 1.19.3 and Go 1.18.8 on Tuesday, November 1.

These minor releases include PRIVATE security fixes to the standard library."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-01 17:35:40 UTC
"These minor releases include 1 security fixes following the security policy <https://go.dev/security>:

-       syscall, os/exec: unsanitized NUL in environment variables

        On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this
+behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".

        Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

        This is CVE-2022-41716 and Go issue https://go.dev/issue/56284."

Only Windows.