What's the difference between archive/zip and debug/elf (for security)?

Skip to first unread message

Florian Weimer

Nov 8, 2021, 7:00:10 AM11/8/21
to golan...@googlegroups.com
Bugs that cause archive/zip.Reader to panic on certain input files are
treated as security issues, while similar bugs for debug/elf.File are

I think treating these file formats them differently makes sense, given
different usage scenarios. However, I couldn't find an obvious place
where this is documented.

Maybe Go could adopt some standard language (“This package is not
expected to be used to process untrusted input data.”) and reference
that in the security policy?


Than McIntosh

Nov 8, 2021, 7:40:33 AM11/8/21
to Florian Weimer, golan...@googlegroups.com
I agree that it would be nice to have clarification on the policies/rules here. 

Would also like to point out however that some debug/* issues are treated as security issues (for example, the recent issue https://github.com/golang/go/issues/48990, fixed by https://go-review.googlesource.com/c/go/+/355990).


You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-dev/87ee7qluwx.fsf%40oldenburg.str.redhat.com.

Dmitri Shuralyov

Nov 8, 2021, 5:52:12 PM11/8/21
to golang-dev
Issue 47653 may be relevant. It includes "Ideas for other packages that can benefit are welcome.", so this might be a good comment to raise on that issue.
Reply all
Reply to author
0 new messages