Bug 2020736 (CVE-2021-41772) - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string
Summary: CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-41772
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2020738 2013628 2020737 2020739 2021144 2021145 2021146 2021147 2021148 2022828 2022829 2023670 2023672 2023673 2024704 2028640 2028641 2028642 2028643
Blocks: 2020742
TreeView+ depends on / blocked
 
Reported: 2021-11-05 17:55 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-01 02:36 UTC (History)
98 users (show)

Fixed In Version: go 1.16.10, go 1.17.3
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument.
Clone Of:
Environment:
Last Closed: 2022-05-11 19:15:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1734 0 None None None 2022-05-05 13:49:27 UTC
Red Hat Product Errata RHSA-2022:1745 0 None None None 2022-05-09 07:45:40 UTC
Red Hat Product Errata RHSA-2022:1747 0 None None None 2022-05-09 16:48:18 UTC
Red Hat Product Errata RHSA-2022:1819 0 None None None 2022-05-10 13:38:57 UTC

Description Guilherme de Almeida Suckevicz 2021-11-05 17:55:32 UTC 
Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument.

Reference:
https://github.com/golang/go/issues/48085
Comment 1 Guilherme de Almeida Suckevicz 2021-11-05 17:56:09 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2020737]
Affects: fedora-all [bug 2020739]
Affects: openstack-rdo [bug 2020738]
Comment 2 Przemyslaw Roguski 2021-11-08 11:51:55 UTC 
The vulnerable function `Reader.Open` was only introduced in Go 1.16 [1]
[1] - https://github.com/golang/go/commit/1296ee6b4f9058be75c799513ccb488d2f2dd085#diff-0080ec4a6ff2467b5511020b725e4f633f08384e892e18103af78e4fe9912278
Comment 3 Przemyslaw Roguski 2021-11-08 11:56:09 UTC 
Upstream issue: https://github.com/golang/go/issues/48085
and fixes:
for 1.17.3 https://github.com/golang/go/commit/b212ba68296b503b395e7d1838ca72a19030a6bf
for 1.16.10 https://github.com/golang/go/commit/88407a8dd98411f1730907dc8a69b99488af0052
Comment 21 Cedric Buissart 2022-02-14 14:23:03 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:5176 https://access.redhat.com/errata/RHSA-2021:5176
Comment 26 errata-xmlrpc 2022-05-05 13:49:22 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734
Comment 27 errata-xmlrpc 2022-05-09 07:45:35 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:1745 https://access.redhat.com/errata/RHSA-2022:1745
Comment 29 errata-xmlrpc 2022-05-09 16:48:12 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.22

Via RHSA-2022:1747 https://access.redhat.com/errata/RHSA-2022:1747
Comment 30 errata-xmlrpc 2022-05-10 13:38:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819
Comment 31 Product Security DevOps Team 2022-05-11 19:15:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41772
Note You need to log in before you can comment on or make changes to this bug.