CVE-2024-24789
Published: 5 June 2024
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Priority
Status
Package | Release | Status |
---|---|---|
golang-1.10
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.13
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.14
Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.16
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.17
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Needs triage
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.18
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.20
Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
jammy |
Needs triage
|
|
mantic |
Ignored
(end of life, was needs-triage)
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.21
Launchpad, Ubuntu, Debian |
focal |
Released
(1.21.1-1~ubuntu20.04.3)
|
jammy |
Released
(1.21.1-1~ubuntu22.04.3)
|
|
mantic |
Ignored
(end of life, was needed)
|
|
noble |
Released
(1.21.9-1ubuntu0.1)
|
|
upstream |
Released
(1.21.11-1)
|
|
golang-1.22
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Released
(1.22.2-2~22.04.1)
|
|
mantic |
Ignored
(end of life, was needed)
|
|
noble |
Released
(1.22.2-2ubuntu0.1)
|
|
upstream |
Released
(1.22.4-1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
References
- https://www.cve.org/CVERecord?id=CVE-2024-24789
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
- https://github.com/golang/go/issues/66869
- https://go.dev/cl/585397
- https://go.dev/issue/66869
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2888
- https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc (1.21)
- https://github.com/golang/go/commit/cf501ac0c5fe351a8582d20b43562027927906e7 (1.22)
- https://ubuntu.com/security/notices/USN-6886-1
- NVD
- Launchpad
- Debian