reports: add GO-2021-0264 for CVE-2021-41772
Fixes golang/vulndb#264
Change-Id: I216dd755d513e9dfc33e2b339aeb74c373a9036a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377615
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/reports/GO-2021-0264.yaml b/reports/GO-2021-0264.yaml
new file mode 100644
index 0000000..dcd5b2b
--- /dev/null
+++ b/reports/GO-2021-0264.yaml
@@ -0,0 +1,33 @@
+module: std
+package: archive/zip
+versions:
+ - fixed: go1.16.10
+ - fixed: go1.17.3
+description: |
+ Previously, opening a zip with (*Reader).Open could result in a panic if the
+ zip contained a file whose name was exclusively made up of slash characters or
+ ".." path elements.
+
+ Open could also panic if passed the empty string directly as an argument.
+
+ Now, any files in the zip whose name could not be made valid for fs.FS.Open
+ will be skipped, and no longer added to the fs.FS file list, although they
+ are still accessible through (*Reader).File.
+
+ Note that it was already the case that a file could be accessible from
+ (*Reader).Open with a name different from the one in (*Reader).File, as the
+ former is the cleaned name, while the latter is the original one.
+
+ Finally, the actual panic site was made robust as a defense-in-depth measure.
+cves:
+ - CVE-2021-41772
+credit: Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team
+symbols:
+ - split
+ - Reader.Open
+links:
+ pr: https://go.dev/cl/349770
+ commit: https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f
+ context:
+ - https://groups.google.com/g/golang-announce/c/0fM21h43arc
+ - https://go.dev/issue/48085
