Bug 2292668 (CVE-2024-24789) - CVE-2024-24789 golang: archive/zip: Incorrect handling of certain ZIP files
Summary: CVE-2024-24789 golang: archive/zip: Incorrect handling of certain ZIP files
Keywords:
Status: NEW
Alias: CVE-2024-24789
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2292671 2292673 2292674 2292675 2292744 2349923 2292669 2292670 2292672 2292676 2292677 2292678 2292679 2292680 2292681 2292682 2292683 2292684 2292685 2292686 2292687 2292688 2292689 2292690 2292691 2292692 2292693 2292694 2292695 2292696 2292697 2292698 2292700 2292701 2292702 2292703 2292704 2292705 2292706 2292707 2292708 2292709 2292710 2292711 2292712 2292713 2292714 2292715 2292716 2292717 2292718 2292719 2292720 2292721 2292722 2292723 2292745 2292746 2292747 2292751 2292752 2292993
Blocks: 2292754
TreeView+ depends on / blocked
 
Reported: 2024-06-17 16:55 UTC by Marco Benatto
Modified: 2025-05-15 08:28 UTC (History)
105 users (show)

Fixed In Version: go 1.22.4, go 1.21.11
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4490 0 None None None 2024-07-11 08:15:41 UTC
Red Hat Product Errata RHBA-2024:4875 0 None None None 2024-07-25 16:52:04 UTC
Red Hat Product Errata RHBA-2024:4876 0 None None None 2024-07-25 16:52:25 UTC
Red Hat Product Errata RHBA-2024:4877 0 None None None 2024-07-25 16:52:48 UTC
Red Hat Product Errata RHBA-2024:4878 0 None None None 2024-07-25 16:53:16 UTC
Red Hat Product Errata RHBA-2024:5335 0 None None None 2024-08-13 17:32:57 UTC
Red Hat Product Errata RHBA-2024:7639 0 None None None 2024-10-03 15:41:57 UTC
Red Hat Product Errata RHSA-2024:10186 0 None None None 2024-11-22 01:07:06 UTC
Red Hat Product Errata RHSA-2024:10775 0 None None None 2024-12-04 01:00:09 UTC
Red Hat Product Errata RHSA-2024:3718 0 None None None 2024-10-01 17:30:47 UTC
Red Hat Product Errata RHSA-2024:3722 0 None None None 2024-10-01 08:41:16 UTC
Red Hat Product Errata RHSA-2024:4212 0 None None None 2024-07-02 09:01:24 UTC
Red Hat Product Errata RHSA-2024:4237 0 None None None 2024-07-02 15:22:12 UTC
Red Hat Product Errata RHSA-2024:4785 0 None None None 2024-08-07 00:48:21 UTC
Red Hat Product Errata RHSA-2024:4867 0 None None None 2024-07-25 13:09:06 UTC
Red Hat Product Errata RHSA-2024:4872 0 None None None 2024-07-25 14:44:17 UTC
Red Hat Product Errata RHSA-2024:4982 0 None None None 2024-08-01 19:11:17 UTC
Red Hat Product Errata RHSA-2024:5094 0 None None None 2024-08-07 15:39:51 UTC
Red Hat Product Errata RHSA-2024:5258 0 None None None 2024-08-13 00:38:38 UTC
Red Hat Product Errata RHSA-2024:5291 0 None None None 2024-08-13 15:25:35 UTC
Red Hat Product Errata RHSA-2024:6004 0 None None None 2024-09-03 19:14:35 UTC
Red Hat Product Errata RHSA-2024:6755 0 None None None 2024-09-18 11:57:49 UTC
Red Hat Product Errata RHSA-2024:8676 0 None None None 2024-10-30 14:28:15 UTC
Red Hat Product Errata RHSA-2024:9102 0 None None None 2024-11-12 08:46:22 UTC
Red Hat Product Errata RHSA-2024:9115 0 None None None 2024-11-12 08:48:27 UTC
Red Hat Product Errata RHSA-2024:9583 0 None None None 2024-11-13 18:00:54 UTC

Description Marco Benatto 2024-06-17 16:55:52 UTC 
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

http://www.openwall.com/lists/oss-security/2024/06/04/1
https://go.dev/cl/585397
https://go.dev/issue/66869
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://pkg.go.dev/vuln/GO-2024-2888
Comment 1 Marco Benatto 2024-06-17 17:04:15 UTC 
Created asnmap tracking bugs for this issue:

Affects: fedora-all [bug 2292677]


Created bettercap tracking bugs for this issue:

Affects: fedora-all [bug 2292678]


Created dnsx tracking bugs for this issue:

Affects: fedora-all [bug 2292679]


Created doctl tracking bugs for this issue:

Affects: fedora-all [bug 2292680]


Created exercism tracking bugs for this issue:

Affects: fedora-all [bug 2292681]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2292682]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 2292670]
Affects: fedora-all [bug 2292669]


Created golang-github-aws-lambda tracking bugs for this issue:

Affects: fedora-all [bug 2292683]


Created golang-github-chai2010-gettext tracking bugs for this issue:

Affects: fedora-all [bug 2292684]


Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2292685]


Created golang-github-evanw-esbuild tracking bugs for this issue:

Affects: fedora-all [bug 2292686]


Created golang-github-facebookincubator-go2chef tracking bugs for this issue:

Affects: fedora-all [bug 2292687]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2292688]


Created golang-github-geertjohan-rice tracking bugs for this issue:

Affects: fedora-all [bug 2292689]


Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-all [bug 2292690]


Created golang-github-pelletier-toml tracking bugs for this issue:

Affects: fedora-all [bug 2292691]


Created golang-github-pelletier-toml-2 tracking bugs for this issue:

Affects: fedora-all [bug 2292692]


Created golang-github-pgaskin-koboutils tracking bugs for this issue:

Affects: fedora-all [bug 2292693]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2292694]


Created golang-github-projectdiscovery-mapcidr tracking bugs for this issue:

Affects: fedora-all [bug 2292695]


Created golang-github-rakyll-statik tracking bugs for this issue:

Affects: fedora-all [bug 2292696]


Created golang-github-rogpeppe-internal tracking bugs for this issue:

Affects: fedora-all [bug 2292697]


Created golang-github-schollz-croc tracking bugs for this issue:

Affects: fedora-all [bug 2292698]


Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-all [bug 2292700]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2292701]


Created golang-x-exp tracking bugs for this issue:

Affects: fedora-all [bug 2292702]


Created golang-x-mobile tracking bugs for this issue:

Affects: fedora-all [bug 2292703]


Created golang-x-mod tracking bugs for this issue:

Affects: fedora-all [bug 2292704]


Created golang-x-text tracking bugs for this issue:

Affects: fedora-all [bug 2292705]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2292706]


Created golang-x-vuln tracking bugs for this issue:

Affects: fedora-all [bug 2292707]


Created google-osconfig-agent tracking bugs for this issue:

Affects: fedora-all [bug 2292708]


Created gopass tracking bugs for this issue:

Affects: fedora-all [bug 2292709]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2292710]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2292711]


Created kitty tracking bugs for this issue:

Affects: fedora-all [bug 2292712]


Created micro tracking bugs for this issue:

Affects: epel-all [bug 2292671]
Affects: fedora-all [bug 2292713]


Created opentofu tracking bugs for this issue:

Affects: fedora-all [bug 2292714]


Created pack tracking bugs for this issue:

Affects: epel-all [bug 2292672]
Affects: fedora-all [bug 2292715]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2292716]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2292673]
Affects: fedora-all [bug 2292717]


Created restic tracking bugs for this issue:

Affects: epel-all [bug 2292674]
Affects: fedora-all [bug 2292718]


Created snapd tracking bugs for this issue:

Affects: epel-all [bug 2292675]
Affects: fedora-all [bug 2292719]


Created syncthing tracking bugs for this issue:

Affects: epel-all [bug 2292676]
Affects: fedora-all [bug 2292720]


Created tinygo tracking bugs for this issue:

Affects: fedora-all [bug 2292721]


Created trivy tracking bugs for this issue:

Affects: fedora-all [bug 2292722]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2292723]
Comment 26 Tom Sweeney 2024-06-18 20:35:41 UTC 
This appears to be fixed in Go v1.22.4 and v1.21.11.  Can someone from the Go or ProdSec teams verify and add a value to the "Fixed in Version" of this BZ, please?
Comment 27 Marco Benatto 2024-06-18 20:44:15 UTC 
In reply to comment #26:
> This appears to be fixed in Go v1.22.4 and v1.21.11.  Can someone from the
> Go or ProdSec teams verify and add a value to the "Fixed in Version" of this
> BZ, please?

Done!
Comment 31 errata-xmlrpc 2024-07-02 09:01:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4212 https://access.redhat.com/errata/RHSA-2024:4212
Comment 32 errata-xmlrpc 2024-07-02 15:22:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4237 https://access.redhat.com/errata/RHSA-2024:4237
Comment 33 errata-xmlrpc 2024-07-25 13:08:59 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:4867 https://access.redhat.com/errata/RHSA-2024:4867
Comment 34 errata-xmlrpc 2024-07-25 14:44:10 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4872 https://access.redhat.com/errata/RHSA-2024:4872
Comment 35 errata-xmlrpc 2024-08-01 19:11:12 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:4982 https://access.redhat.com/errata/RHSA-2024:4982
Comment 36 errata-xmlrpc 2024-08-07 00:48:15 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:4785 https://access.redhat.com/errata/RHSA-2024:4785
Comment 37 errata-xmlrpc 2024-08-07 15:39:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2024:5094 https://access.redhat.com/errata/RHSA-2024:5094
Comment 38 errata-xmlrpc 2024-08-13 00:38:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258
Comment 39 errata-xmlrpc 2024-08-13 15:25:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5291 https://access.redhat.com/errata/RHSA-2024:5291
Comment 40 errata-xmlrpc 2024-09-03 19:14:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6004 https://access.redhat.com/errata/RHSA-2024:6004
Comment 41 errata-xmlrpc 2024-09-18 11:57:42 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755
Comment 42 errata-xmlrpc 2024-10-01 08:41:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3722 https://access.redhat.com/errata/RHSA-2024:3722
Comment 43 errata-xmlrpc 2024-10-01 17:30:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718
Comment 45 errata-xmlrpc 2024-10-30 14:28:06 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Comment 46 errata-xmlrpc 2024-11-12 08:46:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9102 https://access.redhat.com/errata/RHSA-2024:9102
Comment 47 errata-xmlrpc 2024-11-12 08:48:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115
Comment 48 errata-xmlrpc 2024-11-13 18:00:47 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:9583 https://access.redhat.com/errata/RHSA-2024:9583
Comment 49 errata-xmlrpc 2024-11-22 01:06:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186
Comment 51 errata-xmlrpc 2024-12-04 01:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.6

Via RHSA-2024:10775 https://access.redhat.com/errata/RHSA-2024:10775
Note You need to log in before you can comment on or make changes to this bug.