Bug 2292668 (CVE-2024-24789)
| Summary: | CVE-2024-24789 golang: archive/zip: Incorrect handling of certain ZIP files | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, alcohan, amctagga, anjoseph, aoconnor, asherlan, bdettelb, bniver, bodavis, brking, chazlett, danken, dbenoit, dfreiber, dhanak, dhellmann, dkenigsb, doconnor, dperaza, drow, dshah, dsimansk, dymurray, emachado, epacific, fdeutsch, flucifre, ganandan, ggiguash, gkamathe, gmeno, gparvin, haoli, hkataria, jajackso, jburrell, jcammara, jchui, jforrest, jhardy, jkoehler, jmatthew, jmitchel, jneedle, jobarker, joelsmith, jprabhak, jwendell, kegrant, kingland, koliveir, kshier, kverlaen, lbainbri, lchilton, lphiri, mabashia, manissin, matzew, mbenjamin, mhackett, mnewsome, mnovotny, njean, odf-bz-bot, omaciel, oramraz, owatkins, pahickey, pbraun, phoracek, pierdipi, rcernich, rgarg, rguimara, rhaigner, rhuss, rjohnson, sapillai, sausingh, sdawley, sfeifer, shvarugh, simaishi, sipoyare, smcdonal, smullick, sostapov, stcannon, stirabos, teagle, tfister, thason, thavo, tkral, tnielsen, tsweeney, twalsh, vereddy, vkumar, whayutin, wtam, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go 1.22.4, go 1.21.11 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Golang. The ZIP implementation of the Go language archive/zip library behaves differently than the rest of the ZIP file format implementations. When handling ZIP files with a corrupted central directory record, the library skips over the invalid record and processes the next valid one. This flaw allows a malicious user to access hidden information or files inside maliciously crafted ZIP files.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2292671, 2292673, 2292674, 2292675, 2292744, 2349923, 2292669, 2292670, 2292672, 2292676, 2292677, 2292678, 2292679, 2292680, 2292681, 2292682, 2292683, 2292684, 2292685, 2292686, 2292687, 2292688, 2292689, 2292690, 2292691, 2292692, 2292693, 2292694, 2292695, 2292696, 2292697, 2292698, 2292700, 2292701, 2292702, 2292703, 2292704, 2292705, 2292706, 2292707, 2292708, 2292709, 2292710, 2292711, 2292712, 2292713, 2292714, 2292715, 2292716, 2292717, 2292718, 2292719, 2292720, 2292721, 2292722, 2292723, 2292745, 2292746, 2292747, 2292751, 2292752, 2292993 | ||
| Bug Blocks: | 2292754 | ||
|
Description
Marco Benatto
2024-06-17 16:55:52 UTC
Created asnmap tracking bugs for this issue: Affects: fedora-all [bug 2292677] Created bettercap tracking bugs for this issue: Affects: fedora-all [bug 2292678] Created dnsx tracking bugs for this issue: Affects: fedora-all [bug 2292679] Created doctl tracking bugs for this issue: Affects: fedora-all [bug 2292680] Created exercism tracking bugs for this issue: Affects: fedora-all [bug 2292681] Created gh tracking bugs for this issue: Affects: fedora-all [bug 2292682] Created golang tracking bugs for this issue: Affects: epel-all [bug 2292670] Affects: fedora-all [bug 2292669] Created golang-github-aws-lambda tracking bugs for this issue: Affects: fedora-all [bug 2292683] Created golang-github-chai2010-gettext tracking bugs for this issue: Affects: fedora-all [bug 2292684] Created golang-github-deepmap-oapi-codegen tracking bugs for this issue: Affects: fedora-all [bug 2292685] Created golang-github-evanw-esbuild tracking bugs for this issue: Affects: fedora-all [bug 2292686] Created golang-github-facebookincubator-go2chef tracking bugs for this issue: Affects: fedora-all [bug 2292687] Created golang-github-francoispqt-gojay tracking bugs for this issue: Affects: fedora-all [bug 2292688] Created golang-github-geertjohan-rice tracking bugs for this issue: Affects: fedora-all [bug 2292689] Created golang-github-hashicorp-hc-install tracking bugs for this issue: Affects: fedora-all [bug 2292690] Created golang-github-pelletier-toml tracking bugs for this issue: Affects: fedora-all [bug 2292691] Created golang-github-pelletier-toml-2 tracking bugs for this issue: Affects: fedora-all [bug 2292692] Created golang-github-pgaskin-koboutils tracking bugs for this issue: Affects: fedora-all [bug 2292693] Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue: Affects: fedora-all [bug 2292694] Created golang-github-projectdiscovery-mapcidr tracking bugs for this issue: Affects: fedora-all [bug 2292695] Created golang-github-rakyll-statik tracking bugs for this issue: Affects: fedora-all [bug 2292696] Created golang-github-rogpeppe-internal tracking bugs for this issue: Affects: fedora-all [bug 2292697] Created golang-github-schollz-croc tracking bugs for this issue: Affects: fedora-all [bug 2292698] Created golang-helm-3 tracking bugs for this issue: Affects: fedora-all [bug 2292700] Created golang-vitess tracking bugs for this issue: Affects: fedora-all [bug 2292701] Created golang-x-exp tracking bugs for this issue: Affects: fedora-all [bug 2292702] Created golang-x-mobile tracking bugs for this issue: Affects: fedora-all [bug 2292703] Created golang-x-mod tracking bugs for this issue: Affects: fedora-all [bug 2292704] Created golang-x-text tracking bugs for this issue: Affects: fedora-all [bug 2292705] Created golang-x-tools tracking bugs for this issue: Affects: fedora-all [bug 2292706] Created golang-x-vuln tracking bugs for this issue: Affects: fedora-all [bug 2292707] Created google-osconfig-agent tracking bugs for this issue: Affects: fedora-all [bug 2292708] Created gopass tracking bugs for this issue: Affects: fedora-all [bug 2292709] Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2292710] Created hugo tracking bugs for this issue: Affects: fedora-all [bug 2292711] Created kitty tracking bugs for this issue: Affects: fedora-all [bug 2292712] Created micro tracking bugs for this issue: Affects: epel-all [bug 2292671] Affects: fedora-all [bug 2292713] Created opentofu tracking bugs for this issue: Affects: fedora-all [bug 2292714] Created pack tracking bugs for this issue: Affects: epel-all [bug 2292672] Affects: fedora-all [bug 2292715] Created podman tracking bugs for this issue: Affects: fedora-all [bug 2292716] Created rclone tracking bugs for this issue: Affects: epel-all [bug 2292673] Affects: fedora-all [bug 2292717] Created restic tracking bugs for this issue: Affects: epel-all [bug 2292674] Affects: fedora-all [bug 2292718] Created snapd tracking bugs for this issue: Affects: epel-all [bug 2292675] Affects: fedora-all [bug 2292719] Created syncthing tracking bugs for this issue: Affects: epel-all [bug 2292676] Affects: fedora-all [bug 2292720] Created tinygo tracking bugs for this issue: Affects: fedora-all [bug 2292721] Created trivy tracking bugs for this issue: Affects: fedora-all [bug 2292722] Created vagrant tracking bugs for this issue: Affects: fedora-all [bug 2292723] This appears to be fixed in Go v1.22.4 and v1.21.11. Can someone from the Go or ProdSec teams verify and add a value to the "Fixed in Version" of this BZ, please? In reply to comment #26: > This appears to be fixed in Go v1.22.4 and v1.21.11. Can someone from the > Go or ProdSec teams verify and add a value to the "Fixed in Version" of this > BZ, please? Done! This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4212 https://access.redhat.com/errata/RHSA-2024:4212 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4237 https://access.redhat.com/errata/RHSA-2024:4237 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2024:4867 https://access.redhat.com/errata/RHSA-2024:4867 This issue has been addressed in the following products: RHOSS-1.33-RHEL-8 Via RHSA-2024:4872 https://access.redhat.com/errata/RHSA-2024:4872 This issue has been addressed in the following products: OADP-1.3-RHEL-9 Via RHSA-2024:4982 https://access.redhat.com/errata/RHSA-2024:4982 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.6.0-RHEL-9 Via RHSA-2024:4785 https://access.redhat.com/errata/RHSA-2024:4785 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.6 for RHEL 8 Red Hat OpenShift Service Mesh 2.6 for RHEL 9 Via RHSA-2024:5094 https://access.redhat.com/errata/RHSA-2024:5094 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5291 https://access.redhat.com/errata/RHSA-2024:5291 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:6004 https://access.redhat.com/errata/RHSA-2024:6004 This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2024:3722 https://access.redhat.com/errata/RHSA-2024:3722 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718 This issue has been addressed in the following products: RHODF-4.17-RHEL-9 Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9102 https://access.redhat.com/errata/RHSA-2024:9102 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.4 Via RHSA-2024:9583 https://access.redhat.com/errata/RHSA-2024:9583 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.5 Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.6 Via RHSA-2024:10775 https://access.redhat.com/errata/RHSA-2024:10775 |