blob: e6745324e6ad09ea9a5dddb5e06025e14d16e3f3 [file] [log] [blame]
id: GO-2021-0067
modules:
- module: std
versions:
- introduced: 1.16.0-0
fixed: 1.16.1
vulnerable_at: 1.16.0
packages:
- package: archive/zip
symbols:
- toValidName
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Panic when opening archives in archive/zip
description: |-
Using Reader.Open on an archive containing a file with a path prefixed by "../"
will cause a panic due to a stack overflow. If parsing user supplied archives,
this may be used as a denial of service vector.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2021-27919
references:
- fix: https://go.dev/cl/300489
- fix: https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
- report: https://go.dev/issue/44916
- web: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ
review_status: REVIEWED