x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2019-11503

[tatianab]

CVE-2019-11503 references github.com/snapcore/snapd, which may be a Go module.

Description:
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-11503
• web: https://www.openwall.com/lists/oss-security/2019/04/18/4
• fix: cmd/snap-confine: prevent cwd restore permission bypass canonical/snapd#6642
• web: http://www.openwall.com/lists/oss-security/2019/04/25/7
• web: https://lists.fedoraproject.org/archives/list/[email protected]/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/
• web: https://lists.fedoraproject.org/archives/list/[email protected]/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/
• Imported by: https://pkg.go.dev/github.com/snapcore/snapd?tab=importedby

Cross references:

• Module github.com/snapcore/snapd appears in issue x/vulndb: potential Go vuln in github.com/snapcore/snapd: CVE-2023-1523 #2034 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/snapcore/snapd
      vulnerable_at: 0.0.0-20231108120709-a90520700167
      packages:
        - package: n/a
cves:
    - CVE-2019-11503
references:
    - web: https://www.openwall.com/lists/oss-security/2019/04/18/4
    - fix: https://github.com/snapcore/snapd/pull/6642
    - web: http://www.openwall.com/lists/oss-security/2019/04/25/7
    - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/6VACEKVQ7UAZ32WO4ZKCFW6YOBSYJ76L/
    - web: https://lists.fedoraproject.org/archives/list/[email protected]/message/VPU6APEZHAA7N2AI57OT4J2P7NKHFOLM/

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports