Bug 1965503 (CVE-2021-33196) - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
Summary: CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33196
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1969342 1967415 1967416 1967417 1967418 1967419 1967420 1971074 1972420 1972421 1973240 1973241 1973242 1973243 1973247 1974331 1974332 1975882 1990701 1991818 1999369 1999370 1999371
Blocks: 1965506
TreeView+ depends on / blocked
 
Reported: 2021-05-27 20:09 UTC by Pedro Sampaio
Modified: 2022-05-10 14:59 UTC (History)
113 users (show)

Fixed In Version: go 1.17.0, go 1.16.5, go 1.15.13
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files.
Clone Of:
Environment:
Last Closed: 2021-07-01 22:40:24 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2634 0 None None None 2021-07-01 15:26:55 UTC
Red Hat Product Errata RHSA-2021:2704 0 None None None 2021-07-13 16:54:10 UTC
Red Hat Product Errata RHSA-2021:2705 0 None None None 2021-07-13 21:43:56 UTC
Red Hat Product Errata RHSA-2021:2983 0 None None None 2021-08-10 11:26:46 UTC
Red Hat Product Errata RHSA-2021:2984 0 None None None 2021-08-10 07:50:02 UTC
Red Hat Product Errata RHSA-2021:3076 0 None None None 2021-08-10 13:58:10 UTC
Red Hat Product Errata RHSA-2021:3229 0 None None None 2021-08-19 12:33:57 UTC
Red Hat Product Errata RHSA-2021:3361 0 None None None 2021-08-31 08:09:44 UTC
Red Hat Product Errata RHSA-2021:3758 0 None None None 2021-10-18 16:51:50 UTC

Description Pedro Sampaio 2021-05-27 20:09:30 UTC
Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.

References:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912
https://github.com/golang/go/issues/46242

Comment 1 Summer Long 2021-06-01 04:41:24 UTC
Upstream:
1.15 - https://golang.org/cl/322949
1.16 - https://golang.org/cl/322909
1.17 - https://golang.org/cl/318909

Comment 4 Sam Fowler 2021-06-03 06:17:48 UTC
Checking the entire source code of OpenShift 4, only the following components are using archive/zip (components that share the same github.com/openshift repo are removed):

grafana-container/pkg/cmd/grafana-cli
openshift-enterprise-console-container/cmd/bridge
ose-installer-container/cmd/openshift-install
openshift/cmd/clicheck
openshift/cmd/gendocs
openshift/cmd/genman
openshift/cmd/genyaml
openshift/cmd/kubectl
openshift/cmd/kubectl-convert
openshift-clients/cmd/oc
openshift-clients/tools/clicheck
openshift-clients/tools/gendocs
openshift-clients/tools/genman

The majority of these are all short lived, client side programs. A crash/panic in client side programs has minimal security impact.

The only Go binary from the above list that is executed as a long lived server side process is openshift-enterprise-console-container/cmd/bridge, which is the main binary for the openshift web console. However, this only includes archive/zip via the GetAndExtractZip function in the vendor/github.com/devfile/library directory, which is entirely unused.

Thus the impact for all OpenShift components that include archive/zip is Low.

Comment 8 Riccardo Schirone 2021-06-03 14:55:51 UTC
Upstream patch:
https://github.com/golang/go/commit/74242baa4136c7a9132a8ccd9881354442788c8c

Comment 10 Anten Skrabec 2021-06-07 19:13:33 UTC
While all OpenShift Service Mesh components affected include the vulnerable code, only servicemesh and servicemesh-grafana actually include usage of the affected code in zip.NewReader().

Thus, the impact level for servicemesh-operator and servicemesh-prometheus has been set to Low.

Comment 25 errata-xmlrpc 2021-07-01 15:26:42 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:2634 https://access.redhat.com/errata/RHSA-2021:2634

Comment 26 Product Security DevOps Team 2021-07-01 22:40:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33196

Comment 27 errata-xmlrpc 2021-07-13 16:54:07 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:2704 https://access.redhat.com/errata/RHSA-2021:2704

Comment 28 errata-xmlrpc 2021-07-13 21:43:53 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.16

Via RHSA-2021:2705 https://access.redhat.com/errata/RHSA-2021:2705

Comment 30 errata-xmlrpc 2021-08-10 07:49:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984

Comment 31 errata-xmlrpc 2021-08-10 11:26:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983

Comment 32 errata-xmlrpc 2021-08-10 13:58:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3076 https://access.redhat.com/errata/RHSA-2021:3076

Comment 35 errata-xmlrpc 2021-08-19 12:33:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:3229 https://access.redhat.com/errata/RHSA-2021:3229

Comment 38 errata-xmlrpc 2021-08-31 08:09:38 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2021:3361 https://access.redhat.com/errata/RHSA-2021:3361

Comment 39 errata-xmlrpc 2021-10-18 16:51:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3758 https://access.redhat.com/errata/RHSA-2021:3758


Note You need to log in before you can comment on or make changes to this bug.