Bug 1192378 - (CVE-2021-41772) VUL-0: CVE-2021-41772: go1.16,go1.17: archive/zip: don't panic on (*Reader).Open
(CVE-2021-41772)
VUL-0: CVE-2021-41772: go1.16,go1.17: archive/zip: don't panic on (*Reader).Open
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2021-41772:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-05 05:39 UTC by Jeff Kowalczyk
Modified: 2022-04-13 07:25 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2021-11-05 05:39:56 UTC
Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument.

Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue.

This is CVE-2021-41772 and Go issue go#48085.

References:

https://github.com/golang/go/issues/48085
Comment 1 OBSbugzilla Bot 2021-11-05 07:40:19 UTC
This is an autogenerated message for OBS integration:
This bug (1192378) was mentioned in
https://build.opensuse.org/request/show/929549 Factory / go1.16
https://build.opensuse.org/request/show/929550 Factory / go1.17
Comment 3 Swamp Workflow Management 2021-12-01 20:39:34 UTC
openSUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.17-1.17.3-1.9.1
Comment 4 Swamp Workflow Management 2021-12-01 20:50:39 UTC
SUSE-SU-2021:3833-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.3-1.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.17-1.17.3-1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-01 21:16:09 UTC
SUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.16-1.16.10-1.32.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.16-1.16.10-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-12-01 21:32:10 UTC
openSUSE-SU-2021:3834-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.16-1.16.10-1.32.1
Comment 7 Swamp Workflow Management 2021-12-06 17:49:43 UTC
openSUSE-SU-2021:1539-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1192377,1192378
CVE References: CVE-2021-41771,CVE-2021-41772
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    go1.16-1.16.10-lp152.17.1