You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/03/10 16:55:44 UTC
[GitHub] [trafficcontrol] zrhoffman commented on pull request #5625: Update Go version to 1.15.9
zrhoffman commented on pull request #5625:
URL: https://github.com/apache/trafficcontrol/pull/5625#issuecomment-795732769
Patches security issues in `encoding/xml` and `archive/zip`:
> <ul><li><span style="background-color:transparent;color:rgb(0,0,0);font-family:Roboto,sans-serif;font-size:10.5pt;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">encoding/xml: infinite loop when using </span><span style="background-color:transparent;color:rgb(0,0,0);font-size:10.5pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-family:"Courier New";vertical-align:baseline;white-space:pre-wrap">xml.NewTokenDecoder</span><span style="background-color:transparent;color:rgb(0,0,0);font-family:Roboto,sans-serif;font-size:10.5pt;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> with a custom </span><span style="background-color:transparent;color:rgb(0,0,0);font-size:10.5pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-family:"Courier New";vertical-align:baseline;white-space:pre-wrap">TokenReader</span></li></ul><p></p>
</span><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><span><p style="line-height:1.38;margin-top:0pt;margin-bottom:10pt">The <span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">Decode</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">, </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">DecodeElement</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vert
ical-align:baseline;white-space:pre-wrap">, and </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">Skip</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap"> methods of an </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">xml.Decoder</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap"> provided by </span><span style="ba
ckground-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">xml.NewTokenDecoder</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap"> may enter an infinite loop when operating on a custom </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">xml.TokenReader</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap"> which returns an </span><span style="backgrou
nd-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">EOF</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap"> in the middle of an open XML element.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">Thanks to Sam Whited </span><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;vertical-align:baseline;white-space:pre-wrap">f</span><span style="background-color:transparent;font-variant-nu
meric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">or reporting this issue.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="background-color:transparent;color:rgb(0,0,0);font-family:Roboto,sans-serif;font-size:10.5pt;white-space:pre-wrap;text-indent:36pt">This issue is CVE-2021-27918 and Go issue </span><a href="http://golang.org/issue/44913" style="background-color:transparent;font-family:Roboto,sans-serif;font-size:10.5pt;white-space:pre-wrap;text-indent:36pt" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://golang.org/issue/44913&source=gmail&ust=1615481543334000&usg=AFQjCNHdagyoZDwefr2I7T1AVz03B7p84A">golang.org/issue/44913</a><span style="background-color:transparent;color:rgb(0,0,0);font-family:Roboto,sans-serif;font-size:10.5pt;white-space:pre-wrap;text-indent:36pt">.</span></p
></span></blockquote><span><p style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"></p><ul><li><span style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;font-size:11pt;white-space:pre-wrap">archive/zip: panic when calling Reader.Open</span></li></ul><p></p></span><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><span><p style="line-height:1.38;margin-top:0pt;margin-bottom:10pt">The <span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:"Courier New";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">Reader.Open</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap"> API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”.</span></p><p style="line
-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="text-indent:36pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">This issue is </span><span style="text-indent:36pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;vertical-align:baseline;white-space:pre-wrap">CVE-2021-27919</span><span style="text-indent:36pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:10.5pt;font-family:Roboto,sans-serif;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap"> and Go issue <a href="http://golang.org/issue/44916" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=en&q=http://golang.org/issue/44916&source=gmail&ust=1615481543334000&usg=AFQjCNFYlgtvQVC9JOYkgViZoKL0gal0PQ">golang.
org/issue/44916</a>.</span></p></span></blockquote>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org