Bug 2292668 (CVE-2024-24789) - CVE-2024-24789 golang: archive/zip: Incorrect handling of certain ZIP files
Summary: CVE-2024-24789 golang: archive/zip: Incorrect handling of certain ZIP files
Keywords:
Status: NEW
Alias: CVE-2024-24789
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2292669 2292671 2292673 2292674 2292675 2292676 2292677 2292678 2292679 2292680 2292681 2292682 2292683 2292684 2292685 2292686 2292687 2292688 2292689 2292690 2292691 2292692 2292693 2292694 2292695 2292696 2292697 2292698 2292700 2292701 2292702 2292703 2292704 2292705 2292706 2292707 2292708 2292709 2292710 2292711 2292713 2292714 2292717 2292718 2292719 2292720 2292721 2292722 2292744 2292745 2292746 2292747 2292751 2292752 2292993 2292670 2292672 2292712 2292715 2292716 2292723
Blocks: 2292754
TreeView+ depends on / blocked
 
Reported: 2024-06-17 16:55 UTC by Marco Benatto
Modified: 2024-07-11 08:15 UTC (History)
85 users (show)

Fixed In Version: go 1.22.4, go 1.21.11
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang. The ZIP implementation of the Go language archive/zip library behaves differently than the rest of the ZIP file format implementations. When handling ZIP files with a corrupted central directory record, the library skips over the invalid record and processes the next valid one. This flaw allows a malicious user to access hidden information or files inside maliciously crafted ZIP files.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4490 0 None None None 2024-07-11 08:15:41 UTC
Red Hat Product Errata RHSA-2024:4212 0 None None None 2024-07-02 09:01:24 UTC
Red Hat Product Errata RHSA-2024:4237 0 None None None 2024-07-02 15:22:12 UTC

Description Marco Benatto 2024-06-17 16:55:52 UTC
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

http://www.openwall.com/lists/oss-security/2024/06/04/1
https://go.dev/cl/585397
https://go.dev/issue/66869
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://pkg.go.dev/vuln/GO-2024-2888

Comment 1 Marco Benatto 2024-06-17 17:04:15 UTC
Created asnmap tracking bugs for this issue:

Affects: fedora-all [bug 2292677]


Created bettercap tracking bugs for this issue:

Affects: fedora-all [bug 2292678]


Created dnsx tracking bugs for this issue:

Affects: fedora-all [bug 2292679]


Created doctl tracking bugs for this issue:

Affects: fedora-all [bug 2292680]


Created exercism tracking bugs for this issue:

Affects: fedora-all [bug 2292681]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2292682]


Created golang tracking bugs for this issue:

Affects: epel-all [bug 2292670]
Affects: fedora-all [bug 2292669]


Created golang-github-aws-lambda tracking bugs for this issue:

Affects: fedora-all [bug 2292683]


Created golang-github-chai2010-gettext tracking bugs for this issue:

Affects: fedora-all [bug 2292684]


Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2292685]


Created golang-github-evanw-esbuild tracking bugs for this issue:

Affects: fedora-all [bug 2292686]


Created golang-github-facebookincubator-go2chef tracking bugs for this issue:

Affects: fedora-all [bug 2292687]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2292688]


Created golang-github-geertjohan-rice tracking bugs for this issue:

Affects: fedora-all [bug 2292689]


Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-all [bug 2292690]


Created golang-github-pelletier-toml tracking bugs for this issue:

Affects: fedora-all [bug 2292691]


Created golang-github-pelletier-toml-2 tracking bugs for this issue:

Affects: fedora-all [bug 2292692]


Created golang-github-pgaskin-koboutils tracking bugs for this issue:

Affects: fedora-all [bug 2292693]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2292694]


Created golang-github-projectdiscovery-mapcidr tracking bugs for this issue:

Affects: fedora-all [bug 2292695]


Created golang-github-rakyll-statik tracking bugs for this issue:

Affects: fedora-all [bug 2292696]


Created golang-github-rogpeppe-internal tracking bugs for this issue:

Affects: fedora-all [bug 2292697]


Created golang-github-schollz-croc tracking bugs for this issue:

Affects: fedora-all [bug 2292698]


Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-all [bug 2292700]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2292701]


Created golang-x-exp tracking bugs for this issue:

Affects: fedora-all [bug 2292702]


Created golang-x-mobile tracking bugs for this issue:

Affects: fedora-all [bug 2292703]


Created golang-x-mod tracking bugs for this issue:

Affects: fedora-all [bug 2292704]


Created golang-x-text tracking bugs for this issue:

Affects: fedora-all [bug 2292705]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2292706]


Created golang-x-vuln tracking bugs for this issue:

Affects: fedora-all [bug 2292707]


Created google-osconfig-agent tracking bugs for this issue:

Affects: fedora-all [bug 2292708]


Created gopass tracking bugs for this issue:

Affects: fedora-all [bug 2292709]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2292710]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2292711]


Created kitty tracking bugs for this issue:

Affects: fedora-all [bug 2292712]


Created micro tracking bugs for this issue:

Affects: epel-all [bug 2292671]
Affects: fedora-all [bug 2292713]


Created opentofu tracking bugs for this issue:

Affects: fedora-all [bug 2292714]


Created pack tracking bugs for this issue:

Affects: epel-all [bug 2292672]
Affects: fedora-all [bug 2292715]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2292716]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2292673]
Affects: fedora-all [bug 2292717]


Created restic tracking bugs for this issue:

Affects: epel-all [bug 2292674]
Affects: fedora-all [bug 2292718]


Created snapd tracking bugs for this issue:

Affects: epel-all [bug 2292675]
Affects: fedora-all [bug 2292719]


Created syncthing tracking bugs for this issue:

Affects: epel-all [bug 2292676]
Affects: fedora-all [bug 2292720]


Created tinygo tracking bugs for this issue:

Affects: fedora-all [bug 2292721]


Created trivy tracking bugs for this issue:

Affects: fedora-all [bug 2292722]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2292723]

Comment 26 Tom Sweeney 2024-06-18 20:35:41 UTC
This appears to be fixed in Go v1.22.4 and v1.21.11.  Can someone from the Go or ProdSec teams verify and add a value to the "Fixed in Version" of this BZ, please?

Comment 27 Marco Benatto 2024-06-18 20:44:15 UTC
In reply to comment #26:
> This appears to be fixed in Go v1.22.4 and v1.21.11.  Can someone from the
> Go or ProdSec teams verify and add a value to the "Fixed in Version" of this
> BZ, please?

Done!

Comment 31 errata-xmlrpc 2024-07-02 09:01:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4212 https://access.redhat.com/errata/RHSA-2024:4212

Comment 32 errata-xmlrpc 2024-07-02 15:22:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4237 https://access.redhat.com/errata/RHSA-2024:4237


Note You need to log in before you can comment on or make changes to this bug.