From 1de53ca6485b1bd261f6226554eca538d55cc400 Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Fri, 20 Dec 2024 10:18:51 -1000 Subject: [PATCH] data/reports: review GO-2024-3344 - data/reports/GO-2024-3344.yaml Fixes golang/vulndb#3344 Fixes golang/vulndb#3353 Change-Id: Icbebcb7607230d4a1bcb2bd8826a9f44897cbc97 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/637960 LUCI-TryBot-Result: Go LUCI Auto-Submit: Tatiana Bradley Reviewed-by: Damien Neil --- data/osv/GO-2024-3344.json | 37 +++++++++++++++++++++++++++++----- data/reports/GO-2024-3344.yaml | 27 +++++++++++++++++++++---- 2 files changed, 55 insertions(+), 9 deletions(-) diff --git a/data/osv/GO-2024-3344.json b/data/osv/GO-2024-3344.json index 134942db..1e893310 100644 --- a/data/osv/GO-2024-3344.json +++ b/data/osv/GO-2024-3344.json @@ -6,8 +6,11 @@ "aliases": [ "GHSA-32gq-x56h-299c" ], - "summary": "age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age", - "details": "age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age", + "related": [ + "CVE-2024-56327" + ], + "summary": "Malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age", + "details": "Malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age", "affected": [ { "package": { @@ -27,7 +30,26 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "imports": [ + { + "path": "filippo.io/age/plugin", + "symbols": [ + "EncodeIdentity", + "EncodeRecipient", + "Identity.Unwrap", + "NewIdentity", + "NewIdentityWithoutData", + "NewRecipient", + "ParseIdentity", + "ParseRecipient", + "Recipient.Wrap", + "Recipient.WrapWithLabels", + "openClientConnection" + ] + } + ] + } } ], "references": [ @@ -36,12 +58,17 @@ "url": "https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c" }, { - "type": "WEB", + "type": "FIX", "url": "https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201" } ], + "credits": [ + { + "name": "⬡-49016" + } + ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-3344", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file diff --git a/data/reports/GO-2024-3344.yaml b/data/reports/GO-2024-3344.yaml index b7ad9801..1058bd5a 100644 --- a/data/reports/GO-2024-3344.yaml +++ b/data/reports/GO-2024-3344.yaml @@ -4,15 +4,34 @@ modules: versions: - fixed: 1.2.1 vulnerable_at: 1.2.0 + packages: + - package: filippo.io/age/plugin + symbols: + - NewIdentityWithoutData + - EncodeRecipient + - EncodeIdentity + - ParseRecipient + - openClientConnection + - ParseIdentity + derived_symbols: + - Identity.Unwrap + - NewIdentity + - NewRecipient + - Recipient.Wrap + - Recipient.WrapWithLabels summary: |- - age vulnerable to malicious plugin names, recipients, or identities causing + Malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age ghsas: - GHSA-32gq-x56h-299c +related: + - CVE-2024-56327 +credits: + - ⬡-49016 references: - advisory: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c - - web: https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201 + - fix: https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201 source: id: GHSA-32gq-x56h-299c - created: 2024-12-20T10:03:46.400782-10:00 -review_status: NEEDS_REVIEW + created: 2024-12-20T10:15:12.556561-10:00 +review_status: REVIEWED