FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- syscall, os/exec: unsanitized NUL in environment variables

Affected packages
go118 < 1.18.8
go119 < 1.19.3

Details

VuXML ID 26b1100a-5a27-11ed-abfe-29ac76ec31b5
Discovery 2022-10-17
Entry 2022-11-01

The Go project reports:

syscall, os/exec: unsanitized NUL in environment variables

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".

[source]

References

CVE Name CVE-2022-41716
URL https://groups.google.com/g/golang-dev/c/83nKqv2W1Dk/m/gEJdD5vjDwAJ

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.