data/reports: review GO-2024-3282

  - data/reports/GO-2024-3282.yaml

Fixes #3282

Change-Id: I41285469f35ff0fd8c1d0332831f9fa819aa5822
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635702
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: tatianab

data/osv/GO-2024-3282.json

@@ -4,10 +4,11 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
+    "CVE-2024-12401",
     "GHSA-r4pg-vg54-wxx4"
   ],
-  "summary": "cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager",
-  "details": "cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager",
+  "summary": "Potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager",
+  "details": "Potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager",
   "affected": [
     {
       "package": {
@@ -39,14 +40,55 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cert-manager/cert-manager/pkg/util/pki",
+            "symbols": [
+              "CertificateTemplateFromCSRPEM",
+              "CertificateTemplateFromCertificateRequest",
+              "CertificateTemplateFromCertificateSigningRequest",
+              "DecodePrivateKeyBytes",
+              "DecodeX509CertificateBytes",
+              "DecodeX509CertificateChainBytes",
+              "DecodeX509CertificateRequestBytes",
+              "DecodeX509CertificateSetBytes",
+              "GenerateLocallySignedTemporaryCertificate",
+              "ParseSingleCertificateChainPEM",
+              "RequestMatchesSpec"
+            ]
+          },
+          {
+            "path": "github.com/cert-manager/cert-manager/internal/controller/certificates",
+            "symbols": [
+              "OutputFormatDER"
+            ]
+          },
+          {
+            "path": "github.com/cert-manager/cert-manager/pkg/controller/acmeorders",
+            "symbols": [
+              "controller.ProcessItem",
+              "controller.Sync",
+              "controller.finalizeOrder"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4"
     },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cert-manager/cert-manager/commit/3a4c9eb55e2e43570679840bbe3217869fbc8efc"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cert-manager/cert-manager/commit/f22f78c8c0a64d718e203b326bc844c488ad7850"
+    },
     {
       "type": "FIX",
       "url": "https://github.com/cert-manager/cert-manager/pull/7400"
@@ -64,12 +106,12 @@
       "url": "https://github.com/cert-manager/cert-manager/pull/7403"
     },
     {
-      "type": "WEB",
+      "type": "REPORT",
       "url": "https://go.dev/issue/50116"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3282",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }

data/reports/GO-2024-3282.yaml

@@ -8,19 +8,47 @@ modules:
         - introduced: 1.16.0-alpha.0
         - fixed: 1.16.2
       vulnerable_at: 1.16.1
+      packages:
+        - package: github.com/cert-manager/cert-manager/pkg/util/pki
+          symbols:
+            - DecodeX509CertificateRequestBytes
+            - DecodeX509CertificateSetBytes
+            - DecodePrivateKeyBytes
+          derived_symbols:
+            - CertificateTemplateFromCSRPEM
+            - CertificateTemplateFromCertificateRequest
+            - CertificateTemplateFromCertificateSigningRequest
+            - DecodeX509CertificateBytes
+            - DecodeX509CertificateChainBytes
+            - GenerateLocallySignedTemporaryCertificate
+            - ParseSingleCertificateChainPEM
+            - RequestMatchesSpec
+        - package: github.com/cert-manager/cert-manager/internal/controller/certificates
+          symbols:
+            - OutputFormatDER
+        - package: github.com/cert-manager/cert-manager/pkg/controller/acmeorders
+          symbols:
+            - controller.finalizeOrder
+          derived_symbols:
+            - controller.ProcessItem
+            - controller.Sync
 summary: |-
-    cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM
+    Potential slowdown / DoS when parsing specially crafted PEM
     inputs in github.com/cert-manager/cert-manager
+cves:
+    - CVE-2024-12401
 ghsas:
     - GHSA-r4pg-vg54-wxx4
 references:
     - advisory: https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
+    - fix: https://github.com/cert-manager/cert-manager/commit/3a4c9eb55e2e43570679840bbe3217869fbc8efc
+    - fix: https://github.com/cert-manager/cert-manager/commit/f22f78c8c0a64d718e203b326bc844c488ad7850
     - fix: https://github.com/cert-manager/cert-manager/pull/7400
     - fix: https://github.com/cert-manager/cert-manager/pull/7401
     - fix: https://github.com/cert-manager/cert-manager/pull/7402
     - fix: https://github.com/cert-manager/cert-manager/pull/7403
-    - web: https://go.dev/issue/50116
+    - report: https://go.dev/issue/50116
 source:
     id: GHSA-r4pg-vg54-wxx4
-    created: 2024-11-21T14:39:18.975104-05:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-12T13:23:46.830984-05:00
+review_status: REVIEWED