Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/golang/glog: CVE-2024-45339 #3372

Closed
tatianab opened this issue Jan 7, 2025 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/golang/glog: CVE-2024-45339 #3372

tatianab opened this issue Jan 7, 2025 · 2 comments
Assignees
@neild
Labels
first party high priority triaged

Comments

@tatianab
Copy link
Contributor

tatianab commented Jan 7, 2025
edited
Loading

Version v1.2.4 of the github.com/golang/glog module fixes a vulnerability when creating log files. When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file (a more detailed description of this vulnerability class and its mitigation options can be found at https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File). To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Thanks to Josh McSavaney and Günther Noack for reporting and contributing the fix for this issue.

This is CVE-2024-45339 and golang/glog#74.

https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs
@tatianab tatianab self-assigned this Jan 7, 2025
@tatianab tatianab changed the title x/vulndb: potential Go vuln in <placeholder>: CVE-2024-45339 x/vulndb: potential Go vuln in github.com/golang/glog: CVE-2024-45339 Jan 7, 2025
@tatianab tatianab assigned neild and unassigned neild and tatianab Jan 17, 2025
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/644855 mentions this issue: data/reports: add 5 reports

@GoVulnBot GoVulnBot mentioned this issue Jan 28, 2025
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/645139 mentions this issue: data/reports: update GO-2025-3372 (add GHSA)

gopherbot pushed a commit that referenced this issue Jan 29, 2025
@tatianab @gopherbot
data/reports: update GO-2025-3372 (add GHSA)
660e6a5 
  - data/reports/GO-2025-3372.yaml

Fixes #3425
Fixes #3372

Change-Id: Ifc802e0b7e3f14533b35b39c08851a9c936ffdba
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/645139
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
@mge-fbe-com mge-fbe-com mentioned this issue Jan 29, 2025
Closed
facebook-github-bot pushed a commit to facebookincubator/dhcplb that referenced this issue Jan 30, 2025
@facebook-github-bot
Update github.com/golang/glog dependency to address CVE-2024-45339 (#48)
517055e 
Summary:
Version v1.2.4 of the [github.com/golang/glog](https://github.com/golang/glog) module fixes a vulnerability when creating log files.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-45339
golang/vulndb#3372

Ran
```
dhcplb % go mod tidy
go: downloading github.com/stretchr/testify v1.6.1
go: downloading github.com/davecgh/go-spew v1.1.0
go: downloading gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
go: downloading github.com/stretchr/objx v0.1.0

```

Pull Request resolved: #48

Reviewed By: vjt, pmazzini

Differential Revision: D68892328

Pulled By: mge-fbe-com

fbshipit-source-id: 8e0b040a4b3e32d8acf4cb5684b24e9469655cef
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
first party high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @tatianab @gopherbot