Bug 2020736 (CVE-2021-41772) - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string
Summary: CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-41772
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2020738 2013628 2020737 2020739 Red Hat2021144 Red Hat2021145 Red Hat2021146 Red Hat2021147 Red Hat2021148 Red Hat2022828 Red Hat2022829 Red Hat2023670 Red Hat2023672 Red Hat2023673 Red Hat2024704 Red Hat2028640 Red Hat2028641 Red Hat2028642 Red Hat2028643
Blocks: Embargoed2020742
TreeView+ depends on / blocked
 
Reported: 2021-11-05 17:55 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-02-07 17:07 UTC (History)
96 users (show)

Fixed In Version: go 1.16.10, go 1.17.3
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument.
Clone Of:
Environment:
Last Closed: 2022-05-11 19:15:20 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1734 0 None None None 2022-05-05 13:49:27 UTC
Red Hat Product Errata RHSA-2022:1745 0 None None None 2022-05-09 07:45:40 UTC
Red Hat Product Errata RHSA-2022:1747 0 None None None 2022-05-09 16:48:18 UTC
Red Hat Product Errata RHSA-2022:1819 0 None None None 2022-05-10 13:38:57 UTC

Description Guilherme de Almeida Suckevicz 2021-11-05 17:55:32 UTC 
Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument.

Reference:
https://github.com/golang/go/issues/48085
Comment 1 Guilherme de Almeida Suckevicz 2021-11-05 17:56:09 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2020737]
Affects: fedora-all [bug 2020739]
Affects: openstack-rdo [bug 2020738]
Comment 2 Przemyslaw Roguski 2021-11-08 11:51:55 UTC 
The vulnerable function `Reader.Open` was only introduced in Go 1.16 [1]
[1] - https://github.com/golang/go/commit/1296ee6b4f9058be75c799513ccb488d2f2dd085#diff-0080ec4a6ff2467b5511020b725e4f633f08384e892e18103af78e4fe9912278
Comment 3 Przemyslaw Roguski 2021-11-08 11:56:09 UTC 
Upstream issue: https://github.com/golang/go/issues/48085
and fixes:
for 1.17.3 https://github.com/golang/go/commit/b212ba68296b503b395e7d1838ca72a19030a6bf
for 1.16.10 https://github.com/golang/go/commit/88407a8dd98411f1730907dc8a69b99488af0052
Comment 21 Cedric Buissart 2022-02-14 14:23:03 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:5176 https://access.redhat.com/errata/RHSA-2021:5176
Comment 26 errata-xmlrpc 2022-05-05 13:49:22 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734
Comment 27 errata-xmlrpc 2022-05-09 07:45:35 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:1745 https://access.redhat.com/errata/RHSA-2022:1745
Comment 29 errata-xmlrpc 2022-05-09 16:48:12 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.22

Via RHSA-2022:1747 https://access.redhat.com/errata/RHSA-2022:1747
Comment 30 errata-xmlrpc 2022-05-10 13:38:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819
Comment 31 Product Security DevOps Team 2022-05-11 19:15:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41772
Note You need to log in before you can comment on or make changes to this bug.