From e8b24cf7fdf59d55b93b79d3fd2e1de55129c80d Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Tue, 14 Mar 2023 08:57:19 -0700 Subject: [PATCH] data/reports: add GO-2023-1631.yaml Aliases: CVE-2023-24535 Updates golang/vulndb#1631 Change-Id: If969c534b888ca71d337a6dc85e691839973488d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/476098 TryBot-Result: Gopher Robot Run-TryBot: Damien Neil Reviewed-by: Tatiana Bradley Auto-Submit: Damien Neil --- data/cve/v5/GO-2023-1631.json | 95 ++++++++++++++++++++++++++++++++++ data/osv/GO-2023-1631.json | 64 +++++++++++++++++++++++ data/reports/GO-2023-1631.yaml | 34 ++++++++++++ 3 files changed, 193 insertions(+) create mode 100644 data/cve/v5/GO-2023-1631.json create mode 100644 data/osv/GO-2023-1631.json create mode 100644 data/reports/GO-2023-1631.yaml diff --git a/data/cve/v5/GO-2023-1631.json b/data/cve/v5/GO-2023-1631.json new file mode 100644 index 00000000..2baa92b8 --- /dev/null +++ b/data/cve/v5/GO-2023-1631.json @@ -0,0 +1,95 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "cveId": "CVE-2023-24535" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc" + }, + "descriptions": [ + { + "lang": "en", + "value": "Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic." + } + ], + "affected": [ + { + "vendor": "google.golang.org/protobuf", + "product": "google.golang.org/protobuf/encoding/prototext", + "collectionURL": "https://pkg.go.dev", + "packageName": "google.golang.org/protobuf/encoding/prototext", + "versions": [ + { + "version": "1.29.0", + "lessThan": "1.29.1", + "status": "affected", + "versionType": "semver" + } + ], + "programRoutines": [ + { + "name": "UnmarshalOptions.unmarshal" + }, + { + "name": "Unmarshal" + }, + { + "name": "UnmarshalOptions.Unmarshal" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "google.golang.org/protobuf", + "product": "google.golang.org/protobuf/internal/encoding/text", + "collectionURL": "https://pkg.go.dev", + "packageName": "google.golang.org/protobuf/internal/encoding/text", + "versions": [ + { + "version": "1.29.0", + "lessThan": "1.29.1", + "status": "affected", + "versionType": "semver" + } + ], + "programRoutines": [ + { + "name": "parseNumber" + }, + { + "name": "Decoder.Peek" + }, + { + "name": "Decoder.Read" + } + ], + "defaultStatus": "unaffected" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-125: Out-of-bounds Read" + } + ] + } + ], + "references": [ + { + "url": "https://go.dev/cl/475995" + }, + { + "url": "https://github.com/golang/protobuf/issues/1530" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2023-1631" + } + ] + } + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-1631.json b/data/osv/GO-2023-1631.json new file mode 100644 index 00000000..8fe9e9e6 --- /dev/null +++ b/data/osv/GO-2023-1631.json @@ -0,0 +1,64 @@ +{ + "id": "GO-2023-1631", + "published": "0001-01-01T00:00:00Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-24535" + ], + "details": "Parsing invalid messages can panic.\n\nParsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.", + "affected": [ + { + "package": { + "name": "google.golang.org/protobuf", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.29.0" + }, + { + "fixed": "1.29.1" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1631" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "google.golang.org/protobuf/encoding/prototext", + "symbols": [ + "Unmarshal", + "UnmarshalOptions.Unmarshal", + "UnmarshalOptions.unmarshal" + ] + }, + { + "path": "google.golang.org/protobuf/internal/encoding/text", + "symbols": [ + "Decoder.Peek", + "Decoder.Read", + "parseNumber" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/475995" + }, + { + "type": "REPORT", + "url": "https://github.com/golang/protobuf/issues/1530" + } + ], + "schema_version": "1.3.1" +} \ No newline at end of file diff --git a/data/reports/GO-2023-1631.yaml b/data/reports/GO-2023-1631.yaml new file mode 100644 index 00000000..beac3c00 --- /dev/null +++ b/data/reports/GO-2023-1631.yaml @@ -0,0 +1,34 @@ +modules: + - module: google.golang.org/protobuf + versions: + - introduced: 1.29.0 + fixed: 1.29.1 + vulnerable_at: 1.29.0 + packages: + - package: google.golang.org/protobuf/encoding/prototext + symbols: + - UnmarshalOptions.unmarshal + derived_symbols: + - Unmarshal + - UnmarshalOptions.Unmarshal + - package: google.golang.org/protobuf/internal/encoding/text + symbols: + - parseNumber + derived_symbols: + - Decoder.Peek + - Decoder.Read +summary: | + Parsing invalid messages can panic. +description: | + Parsing invalid messages can panic. + + Parsing a text-format message which contains + a potential number consisting of a minus sign, + one or more characters of whitespace, + and no further input will cause a panic. +references: + - fix: https://go.dev/cl/475995 + - report: https://github.com/golang/protobuf/issues/1530 +cve_metadata: + id: CVE-2023-24535 + cwe: 'CWE-125: Out-of-bounds Read'