syscall, os/exec: unsanitized NUL in environment variables

[neild]

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

[heschi]

This issue is currently not marked as security or release-blocking. Should it block the next minor release?

[heschi]

cc @golang/security @golang/release

[neild]

@gopherbot please open backport issues

(Sorry, I keep getting the process on this wrong. This issue is for the fix, backport issues for upcoming minor releases.)