Bugzilla – Bug 1192378
VUL-0: CVE-2021-41772: go1.16,go1.17: archive/zip: don't panic on (*Reader).Open
Last modified: 2022-04-13 07:25:34 UTC
Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue go#48085. References: https://github.com/golang/go/issues/48085
This is an autogenerated message for OBS integration: This bug (1192378) was mentioned in https://build.opensuse.org/request/show/929549 Factory / go1.16 https://build.opensuse.org/request/show/929550 Factory / go1.17
openSUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1190649,1192377,1192378 CVE References: CVE-2021-41771,CVE-2021-41772 JIRA References: Sources used: openSUSE Leap 15.3 (src): go1.17-1.17.3-1.9.1
SUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1190649,1192377,1192378 CVE References: CVE-2021-41771,CVE-2021-41772 JIRA References: Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): go1.17-1.17.3-1.9.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): go1.17-1.17.3-1.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1182345,1192377,1192378 CVE References: CVE-2021-41771,CVE-2021-41772 JIRA References: Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): go1.16-1.16.10-1.32.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): go1.16-1.16.10-1.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1182345,1192377,1192378 CVE References: CVE-2021-41771,CVE-2021-41772 JIRA References: Sources used: openSUSE Leap 15.3 (src): go1.16-1.16.10-1.32.1
openSUSE-SU-2021:1539-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1182345,1192377,1192378 CVE References: CVE-2021-41771,CVE-2021-41772 JIRA References: Sources used: openSUSE Leap 15.2 (src): go1.16-1.16.10-lp152.17.1