The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2024/06/04/1 | Mailing List |
https://go.dev/cl/585397 | Patch |
https://go.dev/issue/66869 | Issue Tracking Patch |
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ | Release Notes |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/ | |
https://pkg.go.dev/vuln/GO-2024-2888 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Go
Published: 2024-06-05T15:13:51.938Z
Updated: 2024-06-05T15:13:51.938Z
Reserved: 2024-01-30T16:05:14.758Z
Link: CVE-2024-24789
JSON object: View
NVD Information
Status : Modified
Published: 2024-06-05T16:15:10.470
Modified: 2024-06-19T03:15:09.183
Link: CVE-2024-24789
JSON object: View
Redhat Information
No data.
CWE