ALAS2-2022-1887 --- golangID: oval:org.secpod.oval:def:1701085 | Date: (C)2022-12-08 (M)2024-02-26 |
Class: PATCH | Family: unix |
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. No description is available for this CVE. Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string 'A=B\x00C=D' sets the variables 'A=B' and 'C=D'