What's the difference between archive/zip and debug/elf (for security)?

134 views
Skip to first unread message

Florian Weimer

unread,
Nov 8, 2021, 7:00:10 AM11/8/21
to golan...@googlegroups.com
Bugs that cause archive/zip.Reader to panic on certain input files are
treated as security issues, while similar bugs for debug/elf.File are
not.

I think treating these file formats them differently makes sense, given
different usage scenarios. However, I couldn't find an obvious place
where this is documented.

Maybe Go could adopt some standard language (“This package is not
expected to be used to process untrusted input data.”) and reference
that in the security policy?

Thanks,
Florian

Than McIntosh

unread,
Nov 8, 2021, 7:40:33 AM11/8/21
to Florian Weimer, golan...@googlegroups.com
I agree that it would be nice to have clarification on the policies/rules here. 

Would also like to point out however that some debug/* issues are treated as security issues (for example, the recent issue https://github.com/golang/go/issues/48990, fixed by https://go-review.googlesource.com/c/go/+/355990).

Than

--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-dev/87ee7qluwx.fsf%40oldenburg.str.redhat.com.

Dmitri Shuralyov

unread,
Nov 8, 2021, 5:52:12 PM11/8/21
to golang-dev
Issue 47653 may be relevant. It includes "Ideas for other packages that can benefit are welcome.", so this might be a good comment to raise on that issue.
Reply all
Reply to author
Forward
0 new messages