Emmanuel Odeke

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.16.8 Go versions 1.17.x prior to 1.17.1 **Description** The issue arises from a crafted archive header that falsely designates a large number of files, causing the NewReader or OpenReader functions in archive/zip to panic. This is due to an incomplete fix for a previous issue. The NewReader and OpenReader functions can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. **Recommendations** For Go versions prior to 1.16.8, update to version 1.16.8 or later. For Go versions 1.17.x prior to 1.17.1, update to version 1.17.1 or later. As a temporary workaround, consider restricting the use of the NewReader and OpenReader functions in archive/zip until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.15.13 Go versions 1.16.x prior to 1.16.5 **Description** The issue is related to the math/big.Rat component and the UnmarshalText method in the Go programming language, which can lead to uncontrolled memory allocation. This can cause a device to crash and restart when exploited by a remote attacker. The problem arises when the Rat.SetString or Rat.UnmarshalText method is passed inputs with very large exponents, potentially resulting in a panic or an unrecoverable fatal error. **Recommendations** For Go versions prior to 1.15.13, update to version 1.15.13 or later to resolve the issue. For Go versions 1.16.x prior to 1.16.5, update to version 1.16.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `Rat.SetString` and `Rat.UnmarshalText` methods until a patch is available, especially when handling inputs with large exponents.

**Name of the Vulnerable Software and Affected Versions** archive/zip in Go versions prior to 1.15.13 archive/zip in Go versions 1.16.x prior to 1.16.5 **Description** The issue is related to the lack of checking the number of files in an archive, which can be exploited by a remote attacker to cause a denial of service using a crafted archive file. Specifically, a crafted file count in an archive's header can cause a NewReader or OpenReader panic. This can lead to excessive memory allocation attempts. The problem occurs when reading an archive that claims to contain a large number of files, regardless of its actual size, potentially causing a panic or an unrecoverable fatal error. **Recommendations** For archive/zip in Go versions prior to 1.15.13, update to version 1.15.13 or later. For archive/zip in Go versions 1.16.x prior to 1.16.5, update to version 1.16.5 or later. As a temporary workaround, consider restricting the use of the NewReader and OpenReader functions when dealing with archives from untrusted sources until a patch is applied.