blob: fca4f4b00866c4f48242ff48cafa8b46cb752e4d [file] [log] [blame]
id: GO-2021-0240
modules:
- module: std
versions:
- fixed: 1.15.13
- introduced: 1.16.0-0
- fixed: 1.16.5
vulnerable_at: 1.16.4
packages:
- package: archive/zip
symbols:
- Reader.init
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Panic when reading certain archives in archive/zip
description: |-
NewReader and OpenReader can cause a panic or an unrecoverable fatal error when
reading an archive that claims to contain a large number of files, regardless of
its actual size.
published: 2022-02-17T17:33:25Z
cves:
- CVE-2021-33196
credits:
- OSS-Fuzz (discovery)
- Emmanuel Odeke (reporter)
references:
- fix: https://go.dev/cl/318909
- fix: https://go.googlesource.com/go/+/74242baa4136c7a9132a8ccd9881354442788c8c
- web: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- report: https://go.dev/issue/46242
review_status: REVIEWED