| id: GO-2021-0264 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.16.10 |
| - introduced: 1.17.0-0 |
| - fixed: 1.17.3 |
| vulnerable_at: 1.17.2 |
| packages: |
| - package: archive/zip |
| symbols: |
| - split |
| - Reader.Open |
| skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)' |
| summary: Panic when opening certain archives in archive/zip |
| description: |- |
| Previously, opening a zip with (*Reader).Open could result in a panic if the zip |
| contained a file whose name was exclusively made up of slash characters or ".." |
| path elements. |
| |
| Open could also panic if passed the empty string directly as an argument. |
| |
| Now, any files in the zip whose name could not be made valid for fs.FS.Open will |
| be skipped, and no longer added to the fs.FS file list, although they are still |
| accessible through (*Reader).File. |
| |
| Note that it was already the case that a file could be accessible from |
| (*Reader).Open with a name different from the one in (*Reader).File, as the |
| former is the cleaned name, while the latter is the original one. |
| |
| Finally, the actual panic site was made robust as a defense-in-depth measure. |
| published: 2022-01-13T20:54:43Z |
| cves: |
| - CVE-2021-41772 |
| credits: |
| - Colin Arnott (SiteHost) |
| - Noah Santschi-Cooney (Sourcegraph Code Intelligence Team) |
| references: |
| - fix: https://go.dev/cl/349770 |
| - fix: https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f |
| - web: https://groups.google.com/g/golang-announce/c/0fM21h43arc |
| - report: https://go.dev/issue/48085 |
| review_status: REVIEWED |