Bug 1937909 (CVE-2021-27919)
Summary: | CVE-2021-27919 golang: archive/zip: panic when calling Reader.Open | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | admiller, alegrand, amctagga, amurdaca, anharris, anpicker, aos-bugs, aos-install, asm, bmontgom, bniver, bodavis, deparker, emachado, eparis, erooth, flucifre, fweimer, gmeno, hchiramm, hvyas, jakob, jakub, jburrell, jcajka, jhadvig, jmulligan, jokerman, jpadman, jwendell, jwon, kakkoyun, kconner, krathod, lball, lcosic, lemenkov, madam, maszulik, matzew, mbenjamin, mfojtik, mhackett, mnewsome, mpolacek, mthoemme, nstielau, ohudlick, pkrupa, puebele, rcernich, renich, rhs-bugs, rhuss, rrajasek, rtalur, sipoyare, sostapov, sponnaga, storage-qa-internal, sttts, surbania, tstellar, twalsh, vbatts, vereddy, xxia |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | go 1.16.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS).
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-22 10:46:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1937910, 1937911 | ||
Bug Blocks: | 1937912 |
Description
Guilherme de Almeida Suckevicz
2021-03-11 17:48:57 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1937910] Affects: fedora-all [bug 1937911] The vulnerable function `Reader.Open` was only introduced in Go 1.16 [1] Hence I suspect most RH products wont be affected. [1] - https://github.com/golang/go/issues/44916#issue-827996397 Indeed Reader.go:Open was added here https://github.com/golang/go/commit/1296ee6b4f9058be75c799513ccb488d2f2dd085#diff-0080ec4a6ff2467b5511020b725e4f633f08384e892e18103af78e4fe9912278 So that confirms that the vulnerable functions were only added in go 1.16 Removed Jaeger from whiteboard as it does not include any references to the archive/zip stdlib. External References: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw For OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) the components listed are what depend on the stdlib archive/zip. As they are compiled with an older version of golang (1.15 and earler) they have been marked not affected. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27919 |