FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- archive/zip: overflow in preallocation check can cause OOM panic

Affected packages
go < 1.17.1,1

Details

VuXML ID 4ea1082a-1259-11ec-b4fa-dd5a552bdd17
Discovery 2021-08-18
Entry 2021-09-10

The Go project reports:

An oversight in the previous fix still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is reasonable.

References

CVE Name CVE-2021-39293
URL https://github.com/golang/go/issues/47801