x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2020-27534

[tatianab]

CVE-2020-27534 references github.com/moby/buildkit, which may be a Go module.

Description:
util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-27534
• fix: Avoid creation of irrelevant temporary files on Windows moby/buildkit#1462
• fix: [19.03] vendor: buildkit v0.6.4-5-g59e305aa moby/moby#40877
• web: http://web.archive.org/web/20200530054359/https://docs.docker.com/engine/release-notes/
• web: https://go.dev/pkg/io/ioutil/#TempDir
• web: https://go.dev/pkg/os/#TempDir
• Imported by: https://pkg.go.dev/github.com/moby/buildkit?tab=importedby

Cross references:

• Module github.com/moby/buildkit appears in issue x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2023-26054 #1609 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/moby/buildkit
      vulnerable_at: 0.12.3
      packages:
        - package: n/a
cves:
    - CVE-2020-27534
references:
    - fix: https://github.com/moby/buildkit/pull/1462
    - fix: https://github.com/moby/moby/pull/40877
    - web: http://web.archive.org/web/20200530054359/https://docs.docker.com/engine/release-notes/
    - web: https://go.dev/pkg/io/ioutil/#TempDir
    - web: https://go.dev/pkg/os/#TempDir

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports