data/reports/GO-2021-0240.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.15.13
       - introduced: 1.16.0
         fixed: 1.16.5
     packages:
       - package: archive/zip
         symbols:
           - Reader.init
         skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
 description: |
     NewReader and OpenReader can cause a panic or an unrecoverable
     fatal error when reading an archive that claims to contain a large
     number of files, regardless of its actual size.
 published: 2022-02-17T17:33:25Z
 cves:
   - CVE-2021-33196
 credit: |
     the OSS-Fuzz project for discovering this issue and
     Emmanuel Odeke for reporting it
 references:
   - fix: https://go.dev/cl/318909
   - fix: https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c
   - web: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
   - report: https://go.dev/issue/46242
	modules:
	- module: std
	versions:
	- fixed: 1.15.13
	- introduced: 1.16.0
	fixed: 1.16.5
	packages:
	- package: archive/zip
	symbols:
	- Reader.init
	skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
	description: \|
	NewReader and OpenReader can cause a panic or an unrecoverable
	fatal error when reading an archive that claims to contain a large
	number of files, regardless of its actual size.
	published: 2022-02-17T17:33:25Z
	cves:
	- CVE-2021-33196
	credit: \|
	the OSS-Fuzz project for discovering this issue and
	Emmanuel Odeke for reporting it
	references:
	- fix: https://go.dev/cl/318909
	- fix: https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c
	- web: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
	- report: https://go.dev/issue/46242