mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
63ec90b0ef
**Backport:** #7025 Resolves #6266 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7025 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Co-committed-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Backported due to `make security-check` failing in `v11.0/forgejo` branch due to a new registered vulnerability in the github.com/nwaples/rardecode. ``` /home/forgejo/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.3.linux-amd64/bin/go run golang.org/x/vuln/cmd/govulncheck@v1 ./... === Symbol Results === Vulnerability #1: GO-2025-4020 DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode More info: https://pkg.go.dev/vuln/GO-2025-4020 Module: github.com/nwaples/rardecode Found in: github.com/nwaples/rardecode@v1.1.3 Fixed in: N/A Example traces found: #1: modules/git/repo_commit.go:263:24: git.Repository.CommitsByFileAndRange calls io.ReadFull, which eventually calls rardecode.cipherBlockReader.Read #2: modules/packages/arch/metadata.go:22:2: arch.init calls archiver.init, which calls rardecode.init #3: modules/git/repo_language_stats.go:198:32: git.Repository.GetLanguageStats calls bytes.Buffer.ReadFrom, which calls rardecode.limitedReader.Read Your code is affected by 1 vulnerability from 1 module. This scan also found 1 vulnerability in packages you import and 0 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. exit status 3 make: *** [Makefile:526: security-check] Error 1 ``` Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10043 Reviewed-by: Gusted <gusted@noreply.codeberg.org> |
||
|---|---|---|
| .. | ||
| alpine | ||
| arch | ||
| cargo | ||
| chef | ||
| composer | ||
| conan | ||
| conda | ||
| container | ||
| cran | ||
| debian | ||
| goproxy | ||
| helm | ||
| maven | ||
| npm | ||
| nuget | ||
| pub | ||
| pypi | ||
| rpm | ||
| rubygems | ||
| swift | ||
| vagrant | ||
| content_store.go | ||
| hashed_buffer.go | ||
| hashed_buffer_test.go | ||
| multi_hasher.go | ||
| multi_hasher_test.go | ||