git: 07472321defa - main - security/vuxml: Document lang/go vulnerability
Dmitri Goutnik
dmgk at FreeBSD.org
Fri Sep 10 17:22:07 UTC 2021
The branch main has been updated by dmgk:
URL: https://cgit.FreeBSD.org/ports/commit/?id=07472321defad0cbaa9a244307afca41575560e3
commit 07472321defad0cbaa9a244307afca41575560e3
Author: Dmitri Goutnik <dmgk at FreeBSD.org>
AuthorDate: 2021-09-10 17:13:49 +0000
Commit: Dmitri Goutnik <dmgk at FreeBSD.org>
CommitDate: 2021-09-10 17:21:33 +0000
security/vuxml: Document lang/go vulnerability
---
security/vuxml/vuln-2021.xml | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index b68a266fae5a..138d6323e12d 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,33 @@
+ <vuln vid="4ea1082a-1259-11ec-b4fa-dd5a552bdd17">
+ <topic>go -- archive/zip: overflow in preallocation check can cause OOM panic</topic>
+ <affects>
+ <package>
+ <name>go</name>
+ <range><lt>1.17.1,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Go project reports:</p>
+ <blockquote cite="https://github.com/golang/go/issues/47801">
+ <p>An oversight in the previous fix still allows for an OOM
+ panic when the indicated directory size in the archive
+ header is so large that subtracting it from the archive
+ size overflows a uint64, effectively bypassing the check
+ that the number of files in the archive is reasonable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-39293</cvename>
+ <url>https://github.com/golang/go/issues/47801</url>
+ </references>
+ <dates>
+ <discovery>2021-08-18</discovery>
+ <entry>2021-09-10</entry>
+ </dates>
+ </vuln>
+
<vuln vid="145ce848-1165-11ec-ac7e-08002789875b">
<topic>Python -- multiple vulnerabilities</topic>
<affects>
More information about the dev-commits-ports-all
mailing list