data/reports/GO-2021-0264.yaml - vulndb - Git at Google

 id: GO-2021-0264
 modules:
     - module: std
       versions:
         - fixed: 1.16.10
         - introduced: 1.17.0-0
           fixed: 1.17.3
       vulnerable_at: 1.17.2
       packages:
         - package: archive/zip
           symbols:
             - split
             - Reader.Open
           skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
 summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
 description: |
     Previously, opening a zip with (*Reader).Open could result in a panic if the
     zip contained a file whose name was exclusively made up of slash characters or
     ".." path elements.

     Open could also panic if passed the empty string directly as an argument.

     Now, any files in the zip whose name could not be made valid for fs.FS.Open
     will be skipped, and no longer added to the fs.FS file list, although they
     are still accessible through (*Reader).File.

     Note that it was already the case that a file could be accessible from
     (*Reader).Open with a name different from the one in (*Reader).File, as the
     former is the cleaned name, while the latter is the original one.

     Finally, the actual panic site was made robust as a defense-in-depth measure.
 published: 2022-01-13T20:54:43Z
 cves:
     - CVE-2021-41772
 credits:
     - Colin Arnott (SiteHost)
     - Noah Santschi-Cooney (Sourcegraph Code Intelligence Team)
 references:
     - fix: https://go.dev/cl/349770
     - fix: https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f
     - web: https://groups.google.com/g/golang-announce/c/0fM21h43arc
     - report: https://go.dev/issue/48085
	id: GO-2021-0264
	modules:
	- module: std
	versions:
	- fixed: 1.16.10
	- introduced: 1.17.0-0
	fixed: 1.17.3
	vulnerable_at: 1.17.2
	packages:
	- package: archive/zip
	symbols:
	- split
	- Reader.Open
	skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
	summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
	description: \|
	Previously, opening a zip with (*Reader).Open could result in a panic if the
	zip contained a file whose name was exclusively made up of slash characters or
	".." path elements.

	Open could also panic if passed the empty string directly as an argument.

	Now, any files in the zip whose name could not be made valid for fs.FS.Open
	will be skipped, and no longer added to the fs.FS file list, although they
	are still accessible through (*Reader).File.

	Note that it was already the case that a file could be accessible from
	(Reader).Open with a name different from the one in (Reader).File, as the
	former is the cleaned name, while the latter is the original one.

	Finally, the actual panic site was made robust as a defense-in-depth measure.
	published: 2022-01-13T20:54:43Z
	cves:
	- CVE-2021-41772
	credits:
	- Colin Arnott (SiteHost)
	- Noah Santschi-Cooney (Sourcegraph Code Intelligence Team)
	references:
	- fix: https://go.dev/cl/349770
	- fix: https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f
	- web: https://groups.google.com/g/golang-announce/c/0fM21h43arc
	- report: https://go.dev/issue/48085