blob: 2374d5358568af8e256f0c9aad2622ec9ecfe5ce [file] [log] [blame]
id: GO-2021-0264
modules:
- module: std
versions:
- fixed: 1.16.10
- introduced: 1.17.0-0
- fixed: 1.17.3
vulnerable_at: 1.17.2
packages:
- package: archive/zip
symbols:
- split
- Reader.Open
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Panic when opening certain archives in archive/zip
description: |-
Previously, opening a zip with (*Reader).Open could result in a panic if the zip
contained a file whose name was exclusively made up of slash characters or ".."
path elements.
Open could also panic if passed the empty string directly as an argument.
Now, any files in the zip whose name could not be made valid for fs.FS.Open will
be skipped, and no longer added to the fs.FS file list, although they are still
accessible through (*Reader).File.
Note that it was already the case that a file could be accessible from
(*Reader).Open with a name different from the one in (*Reader).File, as the
former is the cleaned name, while the latter is the original one.
Finally, the actual panic site was made robust as a defense-in-depth measure.
published: 2022-01-13T20:54:43Z
cves:
- CVE-2021-41772
credits:
- Colin Arnott (SiteHost)
- Noah Santschi-Cooney (Sourcegraph Code Intelligence Team)
references:
- fix: https://go.dev/cl/349770
- fix: https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f
- web: https://groups.google.com/g/golang-announce/c/0fM21h43arc
- report: https://go.dev/issue/48085
review_status: REVIEWED