From c4a663363a6899c73b02b6667607619af1799e15 Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Wed, 15 May 2024 05:39:10 +0800 Subject: [PATCH] [Backport] archive/zip: treat truncated EOCDR comment as an error CVE: CVE-2024-24789 Reference: https://go-review.googlesource.com/c/go/+/588795 When scanning for an end of central directory record, treat an EOCDR signature with a record containing a truncated comment as an error. Previously, we would skip over the invalid record and look for another one. Other implementations do not do this (they either consider this a hard error, or just ignore the truncated comment). This parser misalignment allowed presenting entirely different archive contents to Go programs and other zip decoders. For #66869 Fixes #67553 Fixes CVE-2024-24789 Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6 Reviewed-on: https://go-review.googlesource.com/c/go/+/585397 Reviewed-by: Joseph Tsai Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI (cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5) Reviewed-on: https://go-review.googlesource.com/c/go/+/588795 Reviewed-by: Matthew Dempsky Signed-off-by: vegbir --- src/archive/zip/reader.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go index e40a2c656b..987f543852 100644 --- a/src/archive/zip/reader.go +++ b/src/archive/zip/reader.go @@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int { if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 { // n is length of comment n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8 - if n+directoryEndLen+i <= len(b) { - return i + if n+directoryEndLen+i > len(b) { + // Truncated comment. + // Some parsers (such as Info-ZIP) ignore the truncated comment + // rather than treating it as a hard error. + return -1 } + return i } } return -1 -- 2.33.0