Bug 1225973 (CVE-2024-24789)

Summary: VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408758/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-24789:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2024-06-05 04:48:22 UTC 
The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

Thanks to Yufan You (@ouuan) for reporting this issue.

This is CVE-2024-24789 and Go issue https://go.dev/issue/66869.
Comment 1 OBSbugzilla Bot 2024-06-05 05:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1225973) was mentioned in
https://build.opensuse.org/request/show/1178640 Factory / go1.21
https://build.opensuse.org/request/show/1178641 Factory / go1.22
Comment 3 Maintenance Automation 2024-06-07 12:30:04 UTC 
SUSE-SU-2024:1936-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1212475, 1225973, 1225974
CVE References: CVE-2024-24789, CVE-2024-24790
Maintenance Incident: [SUSE:Maintenance:34163](https://smelt.suse.de/incident/34163/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 go1.21-1.21.11-1.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-06-07 12:30:05 UTC 
SUSE-SU-2024:1935-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1218424, 1225973, 1225974
CVE References: CVE-2024-24789, CVE-2024-24790
Maintenance Incident: [SUSE:Maintenance:34165](https://smelt.suse.de/incident/34165/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 go1.22-1.22.4-1.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-06-10 20:30:04 UTC 
SUSE-SU-2024:1970-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1218424, 1225973, 1225974
CVE References: CVE-2024-24789, CVE-2024-24790
Maintenance Incident: [SUSE:Maintenance:34166](https://smelt.suse.de/incident/34166/)
Sources used:
openSUSE Leap 15.5 (src):
 go1.22-1.22.4-150000.1.18.1
openSUSE Leap 15.6 (src):
 go1.22-1.22.4-150000.1.18.1
Development Tools Module 15-SP5 (src):
 go1.22-1.22.4-150000.1.18.1
Development Tools Module 15-SP6 (src):
 go1.22-1.22.4-150000.1.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2024-06-10 20:30:06 UTC 
SUSE-SU-2024:1969-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1212475, 1225973, 1225974
CVE References: CVE-2024-24789, CVE-2024-24790
Maintenance Incident: [SUSE:Maintenance:34164](https://smelt.suse.de/incident/34164/)
Sources used:
Development Tools Module 15-SP5 (src):
 go1.21-1.21.11-150000.1.36.1
Development Tools Module 15-SP6 (src):
 go1.21-1.21.11-150000.1.36.1
openSUSE Leap 15.5 (src):
 go1.21-1.21.11-150000.1.36.1
openSUSE Leap 15.6 (src):
 go1.21-1.21.11-150000.1.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.