Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/pkgsite: vuln does not report fix versions correctly #54480

Closed
rittneje opened this issue Aug 16, 2022 · 4 comments
Closed

x/pkgsite: vuln does not report fix versions correctly #54480

rittneje opened this issue Aug 16, 2022 · 4 comments
Assignees
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@rittneje
Copy link

https://pkg.go.dev/vuln/GO-2022-0537

This page currently reads as follows:

Package Affected Versions
math/big go1.17.13 and earlier, go1.18.0 - go1.18.5

However, the actual CVE says that it was fixed in 1.17.13 and 1.18.5, so those should not be listed as affected versions.

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

This is just one example. All the pages under https://pkg.go.dev/vuln that I checked have this mistake.

@gopherbot gopherbot added this to the Unreleased milestone Aug 16, 2022
@jamalc
Copy link

jamalc commented Aug 29, 2022

I believe this is working as intended in CL 411077 but is nonetheless confusing. CC'ing @julieqiu @jba from the Security team. I can understand go1.18.0 - go1.18.5 not being inclusive of go1.18.5 but go1.17.13 and earlier seems incorrect. Should we rework this description or revert to the table configuration?

@jamalc jamalc added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. and removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Aug 29, 2022
@jamalc jamalc modified the milestones: Unreleased, pkgsite/later Aug 29, 2022
@rittneje
Copy link
Author

@jamalc It would be far less ambiguous to use standard notation. For example:

< go1.17.13
[go1.18.0, go1.18.5)

or

(-∞, go1.17.13)
[go1.18.0, go1.18.5)

@bkessler-go bkessler-go added vulndb and removed pkgsite labels Sep 1, 2022
@zpavlinovic zpavlinovic self-assigned this Sep 1, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/427934 mentions this issue: internal/vulns: correctly interpret ranges

gopherbot pushed a commit to golang/pkgsite that referenced this issue Sep 2, 2022
For golang/go#54480

Change-Id: I81295bfe6f03cf83d38c365195ea783115a0f959
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/427934
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
@jamalc
Copy link

jamalc commented Sep 2, 2022

Fixed.

@jamalc jamalc closed this as completed Sep 2, 2022
@julieqiu julieqiu added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 8, 2022
@hyangah hyangah assigned jamalc and unassigned zpavlinovic Sep 10, 2022
@golang golang locked and limited conversation to collaborators Sep 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Status: No status
Development

No branches or pull requests

6 participants