Bugzilla – Bug 1225973
VUL-0: CVE-2024-24789: go1.21,go1.22: archive/zip: mishandling of corrupt central directory record
Last modified: 2024-07-03 04:50:04 UTC
The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Thanks to Yufan You (@ouuan) for reporting this issue. This is CVE-2024-24789 and Go issue https://go.dev/issue/66869.
This is an autogenerated message for OBS integration: This bug (1225973) was mentioned in https://build.opensuse.org/request/show/1178640 Factory / go1.21 https://build.opensuse.org/request/show/1178641 Factory / go1.22
SUSE-SU-2024:1936-1: An update that solves two vulnerabilities and has one security fix can now be installed. Category: security (moderate) Bug References: 1212475, 1225973, 1225974 CVE References: CVE-2024-24789, CVE-2024-24790 Maintenance Incident: [SUSE:Maintenance:34163](https://smelt.suse.de/incident/34163/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): go1.21-1.21.11-1.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1935-1: An update that solves two vulnerabilities and has one security fix can now be installed. Category: security (moderate) Bug References: 1218424, 1225973, 1225974 CVE References: CVE-2024-24789, CVE-2024-24790 Maintenance Incident: [SUSE:Maintenance:34165](https://smelt.suse.de/incident/34165/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): go1.22-1.22.4-1.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1970-1: An update that solves two vulnerabilities and has one security fix can now be installed. Category: security (moderate) Bug References: 1218424, 1225973, 1225974 CVE References: CVE-2024-24789, CVE-2024-24790 Maintenance Incident: [SUSE:Maintenance:34166](https://smelt.suse.de/incident/34166/) Sources used: openSUSE Leap 15.5 (src): go1.22-1.22.4-150000.1.18.1 openSUSE Leap 15.6 (src): go1.22-1.22.4-150000.1.18.1 Development Tools Module 15-SP5 (src): go1.22-1.22.4-150000.1.18.1 Development Tools Module 15-SP6 (src): go1.22-1.22.4-150000.1.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1969-1: An update that solves two vulnerabilities and has one security fix can now be installed. Category: security (moderate) Bug References: 1212475, 1225973, 1225974 CVE References: CVE-2024-24789, CVE-2024-24790 Maintenance Incident: [SUSE:Maintenance:34164](https://smelt.suse.de/incident/34164/) Sources used: Development Tools Module 15-SP5 (src): go1.21-1.21.11-150000.1.36.1 Development Tools Module 15-SP6 (src): go1.21-1.21.11-150000.1.36.1 openSUSE Leap 15.5 (src): go1.21-1.21.11-150000.1.36.1 openSUSE Leap 15.6 (src): go1.21-1.21.11-150000.1.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.