FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open

Affected packages
go < 1.16.1,1

Details

VuXML ID 72709326-81f7-11eb-950a-00155d646401
Discovery 2021-03-05
Entry 2021-03-10

The Go project reports:

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

[source]

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with "../".

[source]

References

CVE Name CVE-2021-27918
CVE Name CVE-2021-27919
URL http://golang.org/issue/44913
URL http://golang.org/issue/44916

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.