Fluid Attacks Database

Description

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	>=0 <1.19.2-1	1.19.2-1
go	stdlib	>=0 <1.18.7	1.18.7
rpm rhel8	podman	-	-
rpm rhel8	buildah	-	-
rpm rhel9	buildah	-	-
rpm rhel8	go-toolset	<0:1.18.9-1.module+el8.7.0+17845+708ebe87	0:1.18.9-1.module+el8.7.0+17845+708ebe87
rpm rhel9	golang	<0:1.18.9-1.el9_1	0:1.18.9-1.el9_1
rpm rhel8	osbuild-composer	<0:75-1.el8	0:75-1.el8
rpm rhel9	osbuild-composer	<0:76-2.el9_2	0:76-2.el9_2

1-10 of 15

Aliases

1. CVE-2022-28792. NVD-2022-28793. OSV-DEBIAN-2022-28794. OSV-2022-28795. OSV-GO-2022-10376. GCVE-2022-28797. SECURITY-TRACKER-CVE-2022-2879

References

1. https://go.dev/issue/548532. https://go.dev/cl/4393553. https://groups.google.com/g/golang-announce/c/xtuG5faxtaU

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.