Go 1.19.3 and 1.18.8 Release: Security Fixes for os/exec and syscall Packages
Go versions 1.19.3 and 1.18.8 were released, each containing a security fix that addresses unsanitized NUL handling in the os/exec and syscall packages, particularly on Windows, and includes runtime error corrections.
Go versions 1.19.3 and 1.18.8 have been released, each containing a security fix that follows the Go security policy.
The fix addresses vulnerabilities in the os/exec and syscall packages, correcting how environment variables with unsanitized NUL bytes are handled, which could allow malicious values to be set on Windows.
syscall, os/exec: unsanitized NUL in environment variables
On Windows, syscall.StartProcess and os/exec.Cmd failed to properly validate malformed environment variable strings, enabling attacks such as using the string "A=B\x00C=D" to set two variables.
For full details, see the Go release notes. The Go team leader Russ Cox notes that these fixes are unrelated to the OpenSSL critical patch and that Go does not rank the severity of its security patches, leaving prioritization to developers.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.