Harshit Gupta

**Name of the Vulnerable Software and Affected Versions** Go (affected versions not specified) **Description** The "go tool pack" subcommand does not sanitize output filenames. This allows the extraction of a malicious archive file to write files to arbitrary locations on the filesystem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go (affected versions not specified) **Description** The "go bug" command writes to two files with predictable names in the system temporary directory, such as "/tmp". An attacker with access to this directory can create a symbolic link (symlink)—a file that points to another file or directory—using one of these predictable names, which causes the command to overwrite the target file of the symlink. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** golang versions 1.15 golang versions 1.19 **Description** An issue exists in the archive/tar package within golang that involves an unbounded allocation during the parsing of GNU sparse map files. This can lead to excessive memory consumption and potentially cause a denial-of-service condition. **Recommendations** Update to a newer version of golang that contains a fix for this vulnerability.