GO-2021-0067

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2021-0067

Import Source

https://vuln.go.dev/ID/GO-2021-0067.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2021-0067

Aliases

BIT-golang-2021-27919
CVE-2021-27919

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Panic when opening archives in archive/zip

Details

Using Reader.Open on an archive containing a file with a path prefixed by "../" will cause a panic due to a stack overflow. If parsing user supplied archives, this may be used as a denial of service vector.

References

https://go.dev/cl/300489
https://go.googlesource.com/go/+/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
https://go.dev/issue/44916
https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

1.16.0-0

Fixed

1.16.1

Ecosystem specific

{
    "imports": [
        {
            "path": "archive/zip",
            "symbols": [
                "toValidName"
            ]
        }
    ]
}