Bug 1192378 (CVE-2021-41772)

Summary: VUL-0: CVE-2021-41772: go1.16,go1.17: archive/zip: don't panic on (*Reader).Open
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2021-41772:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2021-11-05 05:39:56 UTC
Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument.

Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue.

This is CVE-2021-41772 and Go issue go#48085.

References:

https://github.com/golang/go/issues/48085
Comment 1 OBSbugzilla Bot 2021-11-05 07:40:19 UTC
This is an autogenerated message for OBS integration:
This bug (1192378) was mentioned in
https://build.opensuse.org/request/show/929549 Factory / go1.16
https://build.opensuse.org/request/show/929550 Factory / go1.17
Comment 3 Swamp Workflow Management 2021-12-01 20:39:34 UTC
openSUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.17-1.17.3-1.9.1
Comment 4 Swamp Workflow Management 2021-12-01 20:50:39 UTC
SUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.3-1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.17-1.17.3-1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-01 21:16:09 UTC
SUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.16-1.16.10-1.32.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.16-1.16.10-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-12-01 21:32:10 UTC
openSUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.16-1.16.10-1.32.1
Comment 7 Swamp Workflow Management 2021-12-06 17:49:43 UTC
openSUSE-SU-2021:1539-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    go1.16-1.16.10-lp152.17.1