archive/zip: malformed archive may cause panic or memory exhaustion [1.15 backport] #46396
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
|
Change https://golang.org/cl/322949 mentions this issue: |
mknyszek
added
the
CherryPickApproved
|
A security issue with no workaround because it's in a library detail. Approved. |
gopherbot
removed
the
CherryPickCandidate
|
Closed by merging c92adf4 to release-branch.go1.15. |
gopherbot
pushed a commit
that referenced
this issue
May 28, 2021
…easonably sized Since the number of files in the EOCD record isn't validated, it isn't safe to preallocate Reader.Files using that field. A malformed archive can indicate it contains up to 1 << 128 - 1 files. We can still safely preallocate the slice by checking if the specified number of files in the archive is reasonable, given the size of the archive. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. Updates #46242 Fixes #46396 Fixes CVE-2021-33196 Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76 Reviewed-on: https://go-review.googlesource.com/c/go/+/318909 Trust: Roland Shoemaker <roland@golang.org> Trust: Katie Hockman <katie@golang.org> Trust: Joe Tsai <thebrokentoaster@gmail.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com> (cherry picked from commit 74242ba) Reviewed-on: https://go-review.googlesource.com/c/go/+/322949 Reviewed-by: Filippo Valsorda <filippo@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@rolandshoemaker requested issue #46242 to be considered for backport to the next 1.15 minor release.
The text was updated successfully, but these errors were encountered: