| { |
| "id": "GO-2021-0264", |
| "published": "2022-01-13T20:54:43Z", |
| "modified": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2021-41772" |
| ], |
| "details": "Previously, opening a zip with (*Reader).Open could result in a panic if the\nzip contained a file whose name was exclusively made up of slash characters or\n\"..\" path elements.\n\nOpen could also panic if passed the empty string directly as an argument.\n\nNow, any files in the zip whose name could not be made valid for fs.FS.Open\nwill be skipped, and no longer added to the fs.FS file list, although they\nare still accessible through (*Reader).File.\n\nNote that it was already the case that a file could be accessible from\n(*Reader).Open with a name different from the one in (*Reader).File, as the\nformer is the cleaned name, while the latter is the original one.\n\nFinally, the actual panic site was made robust as a defense-in-depth measure.\n", |
| "affected": [ |
| { |
| "package": { |
| "name": "stdlib", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.16.10" |
| }, |
| { |
| "introduced": "1.17.0" |
| }, |
| { |
| "fixed": "1.17.3" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0264" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "archive/zip", |
| "symbols": [ |
| "Reader.Open", |
| "split" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/349770" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc" |
| }, |
| { |
| "type": "REPORT", |
| "url": "https://go.dev/issue/48085" |
| } |
| ] |
| } |
