Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations [1.21 backport] #67553

Closed
gopherbot opened this issue May 21, 2024 · 3 comments
Closed

archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations [1.21 backport] #67553

gopherbot opened this issue May 21, 2024 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.21.11

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #66869 to be considered for backport to the next 1.21 minor release.

This parser misalignment is a PUBLIC track security issue. We have assigned this CVE-2024-24789.

@gopherbot please open backport issues. This is a security issue.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels May 21, 2024
@gopherbot gopherbot mentioned this issue May 21, 2024
Closed
@gopherbot gopherbot added this to the Go1.21.11 milestone May 21, 2024
@cagedmantis cagedmantis added the CherryPickApproved Used during the release process for point releases label May 22, 2024
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label May 22, 2024
@cagedmantis
Copy link
Contributor

Approved as this is a security issue.

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/588795 mentions this issue: [release-branch.go1.21] archive/zip: treat truncated EOCDR comment as an error

gopherbot pushed a commit that referenced this issue May 29, 2024
@neild @cagedmantis
[release-branch.go1.21] archive/zip: treat truncated EOCDR comment as…
c8e4033 
… an error

When scanning for an end of central directory record,
treat an EOCDR signature with a record containing a truncated
comment as an error. Previously, we would skip over the invalid
record and look for another one. Other implementations do not
do this (they either consider this a hard error, or just ignore
the truncated comment). This parser misalignment allowed
presenting entirely different archive contents to Go programs
and other zip decoders.

For #66869
Fixes #67553

Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 33d725e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
@gopherbot
Copy link
Contributor Author

Closed by merging c8e4033 to release-branch.go1.21.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.21.11
Development

No branches or pull requests
2 participants
@cagedmantis @gopherbot