Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/google/fscrypt: CVE-2022-25326 #339

Closed
GoVulnBot opened this issue Feb 25, 2022 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/google/fscrypt: CVE-2022-25326 #339

GoVulnBot opened this issue Feb 25, 2022 · 4 comments
Assignees
@neild
Labels
cve-year-2022 excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In CVE-2022-25326, the reference URL github.com/google/fscrypt (and possibly others) refers to something in Go.

module: github.com/google/fscrypt
package: fscrypt
description: |
    fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable.
cves:
  - CVE-2022-25326
credit: Matthias Gerstner of SUSE
links:
    pr: https://github.com/google/fscrypt/pull/346

See doc/triage.md for instructions on how to triage this report.
@neild neild assigned neild and unassigned rolandshoemaker Jul 7, 2022
@neild
Copy link
Contributor

neild commented Jul 7, 2022

The affected package, github.com/google/fscrypt/filesystem, is importable, but has 0 imports according to pkg.go.dev. The commit that fixes this issue introduces a backwards-incompatible change to that package. I think this can be viewed as an effectively internal package.

@neild neild closed this as completed Jul 7, 2022
This was referenced Jul 7, 2022
Closed
Closed
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/514876 mentions this issue: data/excluded: update GO-2022-0339.yaml to add alias

gopherbot pushed a commit that referenced this issue Aug 1, 2023
@tatianab
data/excluded: update GO-2022-0339.yaml to add alias
ea84fe2 
Updates #339
Fixes #366

Change-Id: Ibb09e94a38149a3af3b7548816ad1f88c7d82298
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/514876
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592766 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607216 mentions this issue: data/reports: unexclude 20 reports (14)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (14)
b61874e 
  - data/reports/GO-2022-0314.yaml
  - data/reports/GO-2022-0315.yaml
  - data/reports/GO-2022-0325.yaml
  - data/reports/GO-2022-0328.yaml
  - data/reports/GO-2022-0329.yaml
  - data/reports/GO-2022-0339.yaml
  - data/reports/GO-2022-0340.yaml
  - data/reports/GO-2022-0342.yaml
  - data/reports/GO-2022-0344.yaml
  - data/reports/GO-2022-0348.yaml
  - data/reports/GO-2022-0350.yaml
  - data/reports/GO-2022-0351.yaml
  - data/reports/GO-2022-0353.yaml
  - data/reports/GO-2022-0354.yaml
  - data/reports/GO-2022-0357.yaml
  - data/reports/GO-2022-0358.yaml
  - data/reports/GO-2022-0359.yaml
  - data/reports/GO-2022-0360.yaml
  - data/reports/GO-2022-0363.yaml
  - data/reports/GO-2022-0365.yaml

Updates #314
Updates #315
Updates #325
Updates #328
Updates #329
Updates #339
Updates #340
Updates #342
Updates #344
Updates #348
Updates #350
Updates #351
Updates #353
Updates #354
Updates #357
Updates #358
Updates #359
Updates #360
Updates #363
Updates #365

Change-Id: I88cff49c8c254ce8df68a3fb336657e69cb8ed58
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607216
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@neild neild

Labels
cve-year-2022 excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @rolandshoemaker @julieqiu @gopherbot @GoVulnBot