data/reports: review GO-2024-3344

- data/reports/GO-2024-3344.yaml Fixes #3344 Fixes #3353 Change-Id: Icbebcb7607230d4a1bcb2bd8826a9f44897cbc97 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/637960 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]>
golang · Dec 20, 2024 · 1de53ca · 1de53ca
1 parent 035d5b8
commit 1de53ca
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 9 deletions.
diff --git a/data/osv/GO-2024-3344.json b/data/osv/GO-2024-3344.json
@@ -6,8 +6,11 @@
   "aliases": [
     "GHSA-32gq-x56h-299c"
   ],
-  "summary": "age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age",
-  "details": "age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age",
+  "related": [
+    "CVE-2024-56327"
+  ],
+  "summary": "Malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age",
+  "details": "Malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age",
   "affected": [
     {
       "package": {
@@ -27,7 +30,26 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "filippo.io/age/plugin",
+            "symbols": [
+              "EncodeIdentity",
+              "EncodeRecipient",
+              "Identity.Unwrap",
+              "NewIdentity",
+              "NewIdentityWithoutData",
+              "NewRecipient",
+              "ParseIdentity",
+              "ParseRecipient",
+              "Recipient.Wrap",
+              "Recipient.WrapWithLabels",
+              "openClientConnection"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -36,12 +58,17 @@
       "url": "https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c"
     },
     {
-      "type": "WEB",
+      "type": "FIX",
       "url": "https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201"
     }
   ],
+  "credits": [
+    {
+      "name": "⬡-49016"
+    }
+  ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3344",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3344.yaml b/data/reports/GO-2024-3344.yaml
@@ -4,15 +4,34 @@ modules:
       versions:
         - fixed: 1.2.1
       vulnerable_at: 1.2.0
+      packages:
+        - package: filippo.io/age/plugin
+          symbols:
+            - NewIdentityWithoutData
+            - EncodeRecipient
+            - EncodeIdentity
+            - ParseRecipient
+            - openClientConnection
+            - ParseIdentity
+          derived_symbols:
+            - Identity.Unwrap
+            - NewIdentity
+            - NewRecipient
+            - Recipient.Wrap
+            - Recipient.WrapWithLabels
 summary: |-
-    age vulnerable to malicious plugin names, recipients, or identities causing
+    Malicious plugin names, recipients, or identities causing
     arbitrary binary execution in filippo.io/age
 ghsas:
     - GHSA-32gq-x56h-299c
+related:
+    - CVE-2024-56327
+credits:
+    - ⬡-49016
 references:
     - advisory: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c
-    - web: https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201
+    - fix: https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201
 source:
     id: GHSA-32gq-x56h-299c
-    created: 2024-12-20T10:03:46.400782-10:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-20T10:15:12.556561-10:00
+review_status: REVIEWED