Debian Bug report logs -
#989492
golang-1.16: CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#989492; Package src:golang-1.16.
(Sat, 05 Jun 2021 08:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Sat, 05 Jun 2021 08:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-1.16
Version: 1.16.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/golang/go/issues/46397
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for golang-1.16.
CVE-2021-33196[0]:
| archive/zip: malformed archive may cause panic or memory exhaustion
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33196
[1] https://github.com/golang/go/issues/46397
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#989492; Package src:golang-1.16.
(Sat, 05 Jun 2021 11:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Shengjing Zhu <zhsj@debian.org>:
Extra info received and forwarded to list. Copy sent to Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Sat, 05 Jun 2021 11:21:03 GMT) (full text, mbox, link).
Message #10 received at 989492@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
On Sat, Jun 5, 2021 at 4:12 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi,
>
> The following vulnerability was published for golang-1.16.
>
> CVE-2021-33196[0]:
How does security-tracker pull the cve data? The point release from
golang appears addressing 4 cve, which are CVE-2021-3319{5,6,7,8}. Why
is the security-tracker only aware of CVE-2021-33196?
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
--
Shengjing Zhu
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Sat, 05 Jun 2021 11:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 05 Jun 2021 11:36:05 GMT) (full text, mbox, link).
Message #15 received at 989492-close@bugs.debian.org (full text, mbox, reply):
Source: golang-1.16
Source-Version: 1.16.5-1
Done: Shengjing Zhu <zhsj@debian.org>
We believe that the bug you reported is fixed in the latest version of
golang-1.16, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 989492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated golang-1.16 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 05 Jun 2021 19:03:59 +0800
Source: golang-1.16
Architecture: source
Version: 1.16.5-1
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 989492
Changes:
golang-1.16 (1.16.5-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.16.5
+ CVE-2021-33195: net: Lookup functions may return invalid host names
+ CVE-2021-33196: archive/zip: malformed archive may cause panic or memory
exhaustion (Closes: #989492)
+ CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection
headers if first one is empty
+ CVE-2021-33198: math/big: (*Rat).SetString with "1.770p02041010010011001001"
crashes with "makeslice: len out of range"
Checksums-Sha1:
5d335ce05b7c1f4def0c5d04558fec8c2b1bbec3 1992 golang-1.16_1.16.5-1.dsc
b3d00525ea5af180149fafca8da730c6f988f29f 20921372 golang-1.16_1.16.5.orig.tar.gz
306ac2691d7bc3aefd40939fdca7f9820837baee 39792 golang-1.16_1.16.5-1.debian.tar.xz
a94208702801b2e7baddebf6555b777ac84e5bdf 6059 golang-1.16_1.16.5-1_amd64.buildinfo
Checksums-Sha256:
cd9ca8bd10a64f338cd950f39661fec6b7a6e98e6859f1ed1cf43b6cb7b13c91 1992 golang-1.16_1.16.5-1.dsc
7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80 20921372 golang-1.16_1.16.5.orig.tar.gz
ef7521fec00ee4a9fae6fe4ff55bb4964d3e5c6f66c11c433aed22cd2d742dea 39792 golang-1.16_1.16.5-1.debian.tar.xz
82744196c29bee7586f40c2c3ed761d62a385c025dc0874626ab6d16d4661020 6059 golang-1.16_1.16.5-1_amd64.buildinfo
Files:
6300a4b0e3f8a0d644dfdb244a5709e0 1992 golang optional golang-1.16_1.16.5-1.dsc
f3c06704e536dcca1814b16dbcdc4a36 20921372 golang optional golang-1.16_1.16.5.orig.tar.gz
5cda9bd119b714ad50039d850c416120 39792 golang optional golang-1.16_1.16.5-1.debian.tar.xz
67b728457614ddb1c4188e0c2363afec 6059 golang optional golang-1.16_1.16.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIYEARYIAC4WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCYLte3BAcemhzakBkZWJp
YW4ub3JnAAoJEH9E+iXqVRTLFF0BAJ+m42aiD60ahtLzi0Z2Ec+ACNeARlHlCDfH
YIcADs5yAQC7mUyMXd41VzeJ0Nj9E2cBXlAZ+21UCCuQNkuVKtBNDw==
=6rsV
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#989492; Package src:golang-1.16.
(Sat, 05 Jun 2021 11:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Sat, 05 Jun 2021 11:42:03 GMT) (full text, mbox, link).
Message #20 received at 989492@bugs.debian.org (full text, mbox, reply):
Hi,
On Sat, Jun 05, 2021 at 07:17:44PM +0800, Shengjing Zhu wrote:
> Hi Salvatore,
>
> On Sat, Jun 5, 2021 at 4:12 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Hi,
> >
> > The following vulnerability was published for golang-1.16.
> >
> > CVE-2021-33196[0]:
>
> How does security-tracker pull the cve data? The point release from
> golang appears addressing 4 cve, which are CVE-2021-3319{5,6,7,8}. Why
> is the security-tracker only aware of CVE-2021-33196?
>
> https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
When it pulls various feeds, and then someone of the team investigates
the new entries.
I will look at those others shortly.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jun 5 16:13:52 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon