archive/zip: overflow in preallocation check can cause OOM panic #47801
Comments
rolandshoemaker
added
Security
NeedsFix
|
Change https://golang.org/cl/343434 mentions this issue: |
|
Thank you for filing this issue, and for fixing it @rolandshoemaker! Could we perhaps backport the fix? There isn't a way for Go users using 1.16 and 1.17 to mitigate this issue, and I can see a huge surface number of affected users who can't upgrade to tip aka Go1.18 currently. |
|
Oops, yup, thought I'd already done this. |
|
@gopherbot please backport to 1.16 and 1.17. This is a security issue. |
|
Backport issue(s) opened: #47985 (for 1.16), #47986 (for 1.17). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
|
Change https://golang.org/cl/345409 mentions this issue: |
|
Change https://golang.org/cl/345410 mentions this issue: |
… overflowing If the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, the check that the indicated number of files in the archive can be effectively bypassed. Prevent this from happening by checking that the indicated directory size is less than the size of the archive. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. Fixes #47986 Updates #47801 Fixes CVE-2021-39293 Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24 Reviewed-on: https://go-review.googlesource.com/c/go/+/343434 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> (cherry picked from commit bacbc33) Reviewed-on: https://go-review.googlesource.com/c/go/+/345410 Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com> Trust: Cherry Mui <cherryyz@google.com>
… overflowing If the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, the check that the indicated number of files in the archive can be effectively bypassed. Prevent this from happening by checking that the indicated directory size is less than the size of the archive. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. Fixes #47985 Updates #47801 Fixes CVE-2021-39293 Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24 Reviewed-on: https://go-review.googlesource.com/c/go/+/343434 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> (cherry picked from commit bacbc33) Reviewed-on: https://go-review.googlesource.com/c/go/+/345409 Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com> Trust: Cherry Mui <cherryyz@google.com>
An oversight in the fix for #46242 still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is reasonable.
This is CVE-2021-39293.
The text was updated successfully, but these errors were encountered: