Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset [1.17 backport] #53056

Closed
gopherbot opened this issue May 24, 2022 · 3 comments
Closed

os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset [1.17 backport] #53056

gopherbot opened this issue May 24, 2022 · 3 comments
Labels
CherryPickApproved Security
Milestone

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented May 24, 2022

@rolandshoemaker requested issue #52574 to be considered for backport to the next 1.17 minor release.

@gopherbot please open backport issues, this is a minor security issue.

@gopherbot gopherbot added the CherryPickCandidate label May 24, 2022
@gopherbot gopherbot added this to the Go1.17.11 milestone May 24, 2022
@toothrot toothrot added the CherryPickApproved label May 25, 2022
@toothrot
Copy link
Contributor

@toothrot toothrot commented May 25, 2022

Approved. This is a serious issue with no workaround. @rolandshoemaker Does this need security text?

@gopherbot gopherbot removed the CherryPickCandidate label May 25, 2022
@gopherbot
Copy link
Author

@gopherbot gopherbot commented May 25, 2022

Change https://go.dev/cl/408578 mentions this issue: [release-branch.go1.17] os/exec: return clear error for missing cmd.Path

@gopherbot
Copy link
Author

@gopherbot gopherbot commented May 27, 2022

Closed by merging 590b53f to release-branch.go1.17.

gopherbot pushed a commit that referenced this issue May 27, 2022
Following up on CL 403694, there is a bit of confusion about
when Path is and isn't set, along with now the exported Err field.
Catch the case where Path and Err (and lookPathErr) are all unset
and give a helpful error.

Updates #52574
Followup after #43724.

Fixes #53056
Fixes CVE-2022-30580

Change-Id: I03205172aef3801c3194f5098bdb93290c02b1b6
Reviewed-on: https://go-review.googlesource.com/c/go/+/403759
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 960ffa9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/408578
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CherryPickApproved Security
Projects
None yet
Development

No branches or pull requests

3 participants