Skip to content

Commit ecb026e

Browse files
thatnealpatelgopherbot
thatnealpatel
authored and
gopherbot
committed
data/reports: add GO-2025-3750 (os, goos:windows)
 - data/reports/GO-2025-3750.yaml Fixes #3750 Change-Id: Ic2399872cc919b49617ff49dee62436e070f4eb8 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/680915 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Neal Patel <[email protected]>
1 parent 68854ed commit ecb026e

File tree

3 files changed

+475
-0
lines changed

3 files changed

+475
-0
lines changed

data/cve/v5/GO-2025-3750.json

Lines changed: 255 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,255 @@
1+
{
2+
"dataType": "CVE_RECORD",
3+
"dataVersion": "5.0",
4+
"cveMetadata": {
5+
"cveId": "CVE-2025-0913"
6+
},
7+
"containers": {
8+
"cna": {
9+
"providerMetadata": {
10+
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
11+
},
12+
"title": "Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall",
13+
"descriptions": [
14+
{
15+
"lang": "en",
16+
"value": "os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink."
17+
}
18+
],
19+
"affected": [
20+
{
21+
"vendor": "Go standard library",
22+
"product": "syscall",
23+
"collectionURL": "https://pkg.go.dev",
24+
"packageName": "syscall",
25+
"versions": [
26+
{
27+
"version": "0",
28+
"lessThan": "1.23.10",
29+
"status": "affected",
30+
"versionType": "semver"
31+
},
32+
{
33+
"version": "1.24.0-0",
34+
"lessThan": "1.24.4",
35+
"status": "affected",
36+
"versionType": "semver"
37+
}
38+
],
39+
"platforms": [
40+
"windows"
41+
],
42+
"programRoutines": [
43+
{
44+
"name": "Open"
45+
}
46+
],
47+
"defaultStatus": "unaffected"
48+
},
49+
{
50+
"vendor": "Go standard library",
51+
"product": "os",
52+
"collectionURL": "https://pkg.go.dev",
53+
"packageName": "os",
54+
"versions": [
55+
{
56+
"version": "0",
57+
"lessThan": "1.23.10",
58+
"status": "affected",
59+
"versionType": "semver"
60+
},
61+
{
62+
"version": "1.24.0-0",
63+
"lessThan": "1.24.4",
64+
"status": "affected",
65+
"versionType": "semver"
66+
}
67+
],
68+
"platforms": [
69+
"windows"
70+
],
71+
"programRoutines": [
72+
{
73+
"name": "OpenFile"
74+
},
75+
{
76+
"name": "Root.OpenFile"
77+
},
78+
{
79+
"name": "Chdir"
80+
},
81+
{
82+
"name": "Chmod"
83+
},
84+
{
85+
"name": "Chown"
86+
},
87+
{
88+
"name": "CopyFS"
89+
},
90+
{
91+
"name": "Create"
92+
},
93+
{
94+
"name": "CreateTemp"
95+
},
96+
{
97+
"name": "File.ReadDir"
98+
},
99+
{
100+
"name": "File.Readdir"
101+
},
102+
{
103+
"name": "File.Readdirnames"
104+
},
105+
{
106+
"name": "Getwd"
107+
},
108+
{
109+
"name": "Lchown"
110+
},
111+
{
112+
"name": "Link"
113+
},
114+
{
115+
"name": "Lstat"
116+
},
117+
{
118+
"name": "Mkdir"
119+
},
120+
{
121+
"name": "MkdirAll"
122+
},
123+
{
124+
"name": "MkdirTemp"
125+
},
126+
{
127+
"name": "NewFile"
128+
},
129+
{
130+
"name": "Open"
131+
},
132+
{
133+
"name": "OpenInRoot"
134+
},
135+
{
136+
"name": "OpenRoot"
137+
},
138+
{
139+
"name": "Pipe"
140+
},
141+
{
142+
"name": "ReadDir"
143+
},
144+
{
145+
"name": "ReadFile"
146+
},
147+
{
148+
"name": "Remove"
149+
},
150+
{
151+
"name": "RemoveAll"
152+
},
153+
{
154+
"name": "Rename"
155+
},
156+
{
157+
"name": "Root.Create"
158+
},
159+
{
160+
"name": "Root.Lstat"
161+
},
162+
{
163+
"name": "Root.Mkdir"
164+
},
165+
{
166+
"name": "Root.Open"
167+
},
168+
{
169+
"name": "Root.OpenRoot"
170+
},
171+
{
172+
"name": "Root.Remove"
173+
},
174+
{
175+
"name": "Root.Stat"
176+
},
177+
{
178+
"name": "StartProcess"
179+
},
180+
{
181+
"name": "Stat"
182+
},
183+
{
184+
"name": "Symlink"
185+
},
186+
{
187+
"name": "Truncate"
188+
},
189+
{
190+
"name": "WriteFile"
191+
},
192+
{
193+
"name": "dirFS.Open"
194+
},
195+
{
196+
"name": "dirFS.ReadDir"
197+
},
198+
{
199+
"name": "dirFS.ReadFile"
200+
},
201+
{
202+
"name": "dirFS.Stat"
203+
},
204+
{
205+
"name": "rootFS.Open"
206+
},
207+
{
208+
"name": "rootFS.ReadDir"
209+
},
210+
{
211+
"name": "rootFS.ReadFile"
212+
},
213+
{
214+
"name": "rootFS.Stat"
215+
},
216+
{
217+
"name": "unixDirent.Info"
218+
}
219+
],
220+
"defaultStatus": "unaffected"
221+
}
222+
],
223+
"problemTypes": [
224+
{
225+
"descriptions": [
226+
{
227+
"lang": "en",
228+
"description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"
229+
}
230+
]
231+
}
232+
],
233+
"references": [
234+
{
235+
"url": "https://go.dev/cl/672396"
236+
},
237+
{
238+
"url": "https://go.dev/issue/73702"
239+
},
240+
{
241+
"url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A"
242+
},
243+
{
244+
"url": "https://pkg.go.dev/vuln/GO-2025-3750"
245+
}
246+
],
247+
"credits": [
248+
{
249+
"lang": "en",
250+
"value": "Junyoung Park and Dong-uk Kim of KAIST Hacking Lab"
251+
}
252+
]
253+
}
254+
}
255+
}

data/osv/GO-2025-3750.json

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
{
2+
"schema_version": "1.3.1",
3+
"id": "GO-2025-3750",
4+
"modified": "0001-01-01T00:00:00Z",
5+
"published": "0001-01-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2025-0913"
8+
],
9+
"summary": "Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall",
10+
"details": "os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.",
11+
"affected": [
12+
{
13+
"package": {
14+
"name": "stdlib",
15+
"ecosystem": "Go"
16+
},
17+
"ranges": [
18+
{
19+
"type": "SEMVER",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.23.10"
26+
},
27+
{
28+
"introduced": "1.24.0-0"
29+
},
30+
{
31+
"fixed": "1.24.4"
32+
}
33+
]
34+
}
35+
],
36+
"ecosystem_specific": {
37+
"imports": [
38+
{
39+
"path": "syscall",
40+
"goos": [
41+
"windows"
42+
],
43+
"symbols": [
44+
"Open"
45+
]
46+
},
47+
{
48+
"path": "os",
49+
"goos": [
50+
"windows"
51+
],
52+
"symbols": [
53+
"Chdir",
54+
"Chmod",
55+
"Chown",
56+
"CopyFS",
57+
"Create",
58+
"CreateTemp",
59+
"File.ReadDir",
60+
"File.Readdir",
61+
"File.Readdirnames",
62+
"Getwd",
63+
"Lchown",
64+
"Link",
65+
"Lstat",
66+
"Mkdir",
67+
"MkdirAll",
68+
"MkdirTemp",
69+
"NewFile",
70+
"Open",
71+
"OpenFile",
72+
"OpenInRoot",
73+
"OpenRoot",
74+
"Pipe",
75+
"ReadDir",
76+
"ReadFile",
77+
"Remove",
78+
"RemoveAll",
79+
"Rename",
80+
"Root.Create",
81+
"Root.Lstat",
82+
"Root.Mkdir",
83+
"Root.Open",
84+
"Root.OpenFile",
85+
"Root.OpenRoot",
86+
"Root.Remove",
87+
"Root.Stat",
88+
"StartProcess",
89+
"Stat",
90+
"Symlink",
91+
"Truncate",
92+
"WriteFile",
93+
"dirFS.Open",
94+
"dirFS.ReadDir",
95+
"dirFS.ReadFile",
96+
"dirFS.Stat",
97+
"rootFS.Open",
98+
"rootFS.ReadDir",
99+
"rootFS.ReadFile",
100+
"rootFS.Stat",
101+
"unixDirent.Info"
102+
]
103+
}
104+
]
105+
}
106+
}
107+
],
108+
"references": [
109+
{
110+
"type": "FIX",
111+
"url": "https://go.dev/cl/672396"
112+
},
113+
{
114+
"type": "REPORT",
115+
"url": "https://go.dev/issue/73702"
116+
},
117+
{
118+
"type": "WEB",
119+
"url": "https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A"
120+
}
121+
],
122+
"credits": [
123+
{
124+
"name": "Junyoung Park and Dong-uk Kim of KAIST Hacking Lab"
125+
}
126+
],
127+
"database_specific": {
128+
"url": "https://pkg.go.dev/vuln/GO-2025-3750",
129+
"review_status": "REVIEWED"
130+
}
131+
}

0 commit comments

Comments
 (0)