data/reports: review 2 reports

tatianab · gopherbot · commit 854d03202f8d · 2024-12-20T13:48:20.000-08:00
- data/reports/GO-2024-3101.yaml - data/reports/GO-2024-3339.yaml Fixes #3101 Fixes #3339 Change-Id: I76912805ed1c8c185041f8d157beaa99a48ee30c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/637980 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-3101.json b/data/osv/GO-2024-3101.json
@@ -6,8 +6,8 @@
   "aliases": [
     "GHSA-75qh-gg76-p2w4"
   ],
-  "summary": "CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",
-  "details": "CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",
+  "summary": "Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",
+  "details": "A specifically crafted Wasm file can cause the VM to consume excessive amounts of memory when compiling a contract. This can lead to high memory usage, slowdowns, potentially a crash and can poison a lock in the VM, preventing any further interaction with contracts.",
   "affected": [
     {
       "package": {
@@ -72,6 +72,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3101",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/osv/GO-2024-3339.json b/data/osv/GO-2024-3339.json
@@ -6,9 +6,40 @@
   "aliases": [
     "GHSA-8wcc-m6j2-qxvm"
   ],
-  "summary": "ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
-  "details": "ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
+  "summary": "Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
+  "details": "Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
   "affected": [
+    {
+      "package": {
+        "name": "cosmossdk.io/x/tx",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.13.7"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "cosmossdk.io/x/tx/decode",
+            "symbols": [
+              "Decoder.Decode",
+              "RejectUnknownFields",
+              "RejectUnknownFieldsStrict"
+            ]
+          }
+        ]
+      }
+    },
     {
       "package": {
         "name": "github.com/cosmos/cosmos-sdk",
@@ -33,7 +64,23 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cosmos/cosmos-sdk/codec/types",
+            "symbols": [
+              "interfaceRegistry.UnpackAny"
+            ]
+          },
+          {
+            "path": "github.com/cosmos/cosmos-sdk/codec/unknownproto",
+            "symbols": [
+              "RejectUnknownFields",
+              "RejectUnknownFieldsStrict"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -56,6 +103,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3339",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3101.yaml b/data/reports/GO-2024-3101.yaml
@@ -10,7 +10,12 @@ modules:
         - introduced: 1.5.0
         - fixed: 1.5.1
       vulnerable_at: 1.5.0
-summary: 'CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm'
+summary: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm
+description: |-
+    A specifically crafted Wasm file can cause the VM to consume excessive amounts
+    of memory when compiling a contract. This can lead to high memory usage,
+    slowdowns, potentially a crash and can poison a lock in the VM, preventing any
+    further interaction with contracts.
 ghsas:
     - GHSA-75qh-gg76-p2w4
 references:
@@ -19,7 +24,9 @@ references:
     - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2023-004.md
     - web: https://rustsec.org/advisories/RUSTSEC-2024-0366.html
     - web: https://www.certik.com/resources/blog/risk-and-security-enhancement-for-app-chains-an-in-depth-writeup-of-cwa-2023
+notes:
+    - Could not determine exactly which Go packages are affected, so leaving whole module as affected out of caution.
 source:
     id: GHSA-75qh-gg76-p2w4
-    created: 2024-12-20T10:04:11.705159-10:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-20T10:42:53.394291-10:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-3339.yaml b/data/reports/GO-2024-3339.yaml
@@ -1,14 +1,34 @@
 id: GO-2024-3339
 modules:
+    - module: cosmossdk.io/x/tx
+      versions:
+        - fixed: 0.13.7
+      vulnerable_at: 0.13.6
+      packages:
+        - package: cosmossdk.io/x/tx/decode
+          symbols:
+            - RejectUnknownFields
+          derived_symbols:
+            - Decoder.Decode
+            - RejectUnknownFieldsStrict
     - module: github.com/cosmos/cosmos-sdk
       versions:
         - fixed: 0.47.15
         - introduced: 0.50.0-alpha.0
         - fixed: 0.50.11
       vulnerable_at: 0.50.10
+      packages:
+        - package: github.com/cosmos/cosmos-sdk/codec/types
+          symbols:
+            - interfaceRegistry.UnpackAny
+        - package: github.com/cosmos/cosmos-sdk/codec/unknownproto
+          symbols:
+            - RejectUnknownFields
+          derived_symbols:
+            - RejectUnknownFieldsStrict
 summary: |-
-    ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a
-    stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk
+    Transaction decoding may result in a stack overflow or resource exhaustion in
+    github.com/cosmos/cosmos-sdk
 ghsas:
     - GHSA-8wcc-m6j2-qxvm
 references:
@@ -18,5 +38,5 @@ references:
     - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11
 source:
     id: GHSA-8wcc-m6j2-qxvm
-    created: 2024-12-17T08:21:26.241857-05:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-20T10:42:55.054352-10:00
+review_status: REVIEWED

Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,8 @@`
`6`	`6`	`"aliases": [`
`7`	`7`	`"GHSA-75qh-gg76-p2w4"`
`8`	`8`	`],`
`9`		`- "summary": "CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",`
`10`		`- "details": "CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",`
	`9`	`+ "summary": "Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",`
	`10`	`+ "details": "A specifically crafted Wasm file can cause the VM to consume excessive amounts of memory when compiling a contract. This can lead to high memory usage, slowdowns, potentially a crash and can poison a lock in the VM, preventing any further interaction with contracts.",`
`11`	`11`	`"affected": [`
`12`	`12`	`{`
`13`	`13`	`"package": {`
`@@ -72,6 +72,6 @@`
`72`	`72`	`],`
`73`	`73`	`"database_specific": {`
`74`	`74`	`"url": "https://pkg.go.dev/vuln/GO-2024-3101",`
`75`		`- "review_status": "UNREVIEWED"`
	`75`	`+ "review_status": "REVIEWED"`
`76`	`76`	`}`
`77`	`77`	`}`