archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Go | Golang | 1.16.0 (including) | 1.16.1 (excluding) |
| Golang | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | bionic | * |
| Golang-1.10 | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | trusty/esm | * |
| Golang-1.10 | Ubuntu | xenial | * |
| Golang-1.13 | Ubuntu | bionic | * |
| Golang-1.13 | Ubuntu | focal | * |
| Golang-1.13 | Ubuntu | groovy | * |
| Golang-1.13 | Ubuntu | hirsute | * |
| Golang-1.13 | Ubuntu | impish | * |
| Golang-1.13 | Ubuntu | kinetic | * |
| Golang-1.13 | Ubuntu | xenial | * |
| Golang-1.14 | Ubuntu | focal | * |
| Golang-1.14 | Ubuntu | groovy | * |
| Golang-1.14 | Ubuntu | hirsute | * |
| Golang-1.15 | Ubuntu | groovy | * |
| Golang-1.15 | Ubuntu | hirsute | * |
| Golang-1.15 | Ubuntu | impish | * |
| Golang-1.6 | Ubuntu | trusty | * |
| Golang-1.6 | Ubuntu | xenial | * |
| Golang-1.8 | Ubuntu | bionic | * |
| Golang-1.9 | Ubuntu | bionic | * |
References
- https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
- https://security.gentoo.org/glsa/202208-02
- https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/
- https://security.gentoo.org/glsa/202208-02