CVE-2024-24789

2024-06-0516:15:10

Debian Security Bug Tracker

security-tracker.debian.org

archive/zip package

invalid zip files

exploitation

unix

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.9%

JSON

The archive/zip package’s handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

OSVersionArchitecturePackageVersionFilename
Debian10allgolang-1.11<= 1.11.6-1+deb10u4golang-1.11_1.11.6-1+deb10u4_all.deb
Debian11allgolang-1.15<= 1.15.15-1~deb11u4golang-1.15_1.15.15-1~deb11u4_all.deb
Debian12allgolang-1.19<= 1.19.8-2golang-1.19_1.19.8-2_all.deb
Debian999allgolang-1.21< 1.21.11-1golang-1.21_1.21.11-1_all.deb
Debian13allgolang-1.21< 1.21.11-1golang-1.21_1.21.11-1_all.deb
Debian999allgolang-1.22< 1.22.4-1golang-1.22_1.22.4-1_all.deb
Debian13allgolang-1.22< 1.22.4-1golang-1.22_1.22.4-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	golang-1.11	<= 1.11.6-1+deb10u4	golang-1.11_1.11.6-1+deb10u4_all.deb
Debian	11	all	golang-1.15	<= 1.15.15-1~deb11u4	golang-1.15_1.15.15-1~deb11u4_all.deb
Debian	12	all	golang-1.19	<= 1.19.8-2	golang-1.19_1.19.8-2_all.deb
Debian	999	all	golang-1.21	< 1.21.11-1	golang-1.21_1.21.11-1_all.deb
Debian	13	all	golang-1.21	< 1.21.11-1	golang-1.21_1.21.11-1_all.deb
Debian	999	all	golang-1.22	< 1.22.4-1	golang-1.22_1.22.4-1_all.deb
Debian	13	all	golang-1.22	< 1.22.4-1	golang-1.22_1.22.4-1_all.deb