data/reports: review GO-2024-3259

tatianab · gopherbot · commit 7640dd3b40b4 · 2024-12-12T13:58:41.000-08:00
- data/reports/GO-2024-3259.yaml Fixes #3259 Change-Id: I21b7dc91fe0cbfe12f21daca3369259616e70ca5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635700 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-3259.json b/data/osv/GO-2024-3259.json
@@ -27,7 +27,17 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cometbft/cometbft/state/indexer/block/kv",
+            "symbols": [
+              "BlockerIndexer.Search",
+              "BlockerIndexer.setTmpHeights"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -42,10 +52,14 @@
     {
       "type": "WEB",
       "url": "https://github.com/cometbft/cometbft/releases/tag/v0.38.15"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/commit/17d3bb66664cab6d6798c17e27198e15bbac1905"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3259",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3259.yaml b/data/reports/GO-2024-3259.yaml
@@ -5,14 +5,22 @@ modules:
         - introduced: 0.38.0
         - fixed: 0.38.15
       vulnerable_at: 0.38.14
-summary: 'CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft'
+      packages:
+        - package: github.com/cometbft/cometbft/state/indexer/block/kv
+          symbols:
+            - BlockerIndexer.setTmpHeights
+          derived_symbols:
+            - BlockerIndexer.Search
+summary: |
+    CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft
 ghsas:
     - GHSA-p7mv-53f2-4cwj
 references:
     - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj
     - web: https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts
     - web: https://github.com/cometbft/cometbft/releases/tag/v0.38.15
+    - fix: https://github.com/cometbft/cometbft/commit/17d3bb66664cab6d6798c17e27198e15bbac1905
 source:
     id: GHSA-p7mv-53f2-4cwj
-    created: 2024-11-12T11:29:13.234193-05:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-12T13:06:57.501787-05:00
+review_status: REVIEWED

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,17 @@`
`27`	`27`	`]`
`28`	`28`	`}`
`29`	`29`	`],`
`30`		`- "ecosystem_specific": {}`
	`30`	`+ "ecosystem_specific": {`
	`31`	`+ "imports": [`
	`32`	`+ {`
	`33`	`+ "path": "github.com/cometbft/cometbft/state/indexer/block/kv",`
	`34`	`+ "symbols": [`
	`35`	`+ "BlockerIndexer.Search",`
	`36`	`+ "BlockerIndexer.setTmpHeights"`
	`37`	`+ ]`
	`38`	`+ }`
	`39`	`+ ]`
	`40`	`+ }`
`31`	`41`	`}`
`32`	`42`	`],`
`33`	`43`	`"references": [`
`@@ -42,10 +52,14 @@`
`42`	`52`	`{`
`43`	`53`	`"type": "WEB",`
`44`	`54`	`"url": "https://github.com/cometbft/cometbft/releases/tag/v0.38.15"`
	`55`	`+ },`
	`56`	`+ {`
	`57`	`+ "type": "FIX",`
	`58`	`+ "url": "https://github.com/cometbft/cometbft/commit/17d3bb66664cab6d6798c17e27198e15bbac1905"`
`45`	`59`	`}`
`46`	`60`	`],`
`47`	`61`	`"database_specific": {`
`48`	`62`	`"url": "https://pkg.go.dev/vuln/GO-2024-3259",`
`49`		`- "review_status": "UNREVIEWED"`
	`63`	`+ "review_status": "REVIEWED"`
`50`	`64`	`}`
`51`	`65`	`}`