data/reports: review GO-2024-3186

tatianab · tatianab · commit 9f0fe4d9af05 · 2024-12-12T07:16:55.000-08:00
- data/reports/GO-2024-3186.yaml Fixes #3186 Change-Id: I02cf749efcc14dec53e7ed09202d284d0314e17d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635417 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2024-3186.json b/data/osv/GO-2024-3186.json
@@ -21,11 +21,20 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "1.37.1"
             }
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/containers/buildah/internal/volumes"
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -34,20 +43,12 @@
       "url": "https://github.com/advisories/GHSA-586p-749j-fhwp"
     },
     {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9675"
-    },
-    {
-      "type": "WEB",
-      "url": "https://access.redhat.com/security/cve/CVE-2024-9675"
-    },
-    {
-      "type": "WEB",
-      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317458"
+      "type": "FIX",
+      "url": "https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3186",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3186.yaml b/data/reports/GO-2024-3186.yaml
@@ -1,20 +1,20 @@
 id: GO-2024-3186
 modules:
     - module: github.com/containers/buildah
-      unsupported_versions:
-        - last_affected: 1.37.0
-      vulnerable_at: 1.37.4
+      versions:
+        - fixed: 1.37.1
+      vulnerable_at: 1.37.0
+      packages:
+        - package: github.com/containers/buildah/internal/volumes
 summary: Buildah allows arbitrary directory mount in github.com/containers/buildah
 cves:
     - CVE-2024-9675
 ghsas:
     - GHSA-586p-749j-fhwp
 references:
     - advisory: https://github.com/advisories/GHSA-586p-749j-fhwp
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9675
-    - web: https://access.redhat.com/security/cve/CVE-2024-9675
-    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2317458
+    - fix: https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c
 source:
     id: GHSA-586p-749j-fhwp
-    created: 2024-10-11T10:16:13.933974-04:00
-review_status: UNREVIEWED
+    created: 2024-12-11T15:44:36.163971-05:00
+review_status: REVIEWED

Original file line number	Diff line number	Diff line change
`@@ -21,11 +21,20 @@`
`21`	`21`	`"events": [`
`22`	`22`	`{`
`23`	`23`	`"introduced": "0"`
	`24`	`+ },`
	`25`	`+ {`
	`26`	`+ "fixed": "1.37.1"`
`24`	`27`	`}`
`25`	`28`	`]`
`26`	`29`	`}`
`27`	`30`	`],`
`28`		`- "ecosystem_specific": {}`
	`31`	`+ "ecosystem_specific": {`
	`32`	`+ "imports": [`
	`33`	`+ {`
	`34`	`+ "path": "github.com/containers/buildah/internal/volumes"`
	`35`	`+ }`
	`36`	`+ ]`
	`37`	`+ }`
`29`	`38`	`}`
`30`	`39`	`],`
`31`	`40`	`"references": [`
`@@ -34,20 +43,12 @@`
`34`	`43`	`"url": "https://github.com/advisories/GHSA-586p-749j-fhwp"`
`35`	`44`	`},`
`36`	`45`	`{`
`37`		`- "type": "ADVISORY",`
`38`		`- "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9675"`
`39`		`- },`
`40`		`- {`
`41`		`- "type": "WEB",`
`42`		`- "url": "https://access.redhat.com/security/cve/CVE-2024-9675"`
`43`		`- },`
`44`		`- {`
`45`		`- "type": "WEB",`
`46`		`- "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317458"`
	`46`	`+ "type": "FIX",`
	`47`	`+ "url": "https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c"`
`47`	`48`	`}`
`48`	`49`	`],`
`49`	`50`	`"database_specific": {`
`50`	`51`	`"url": "https://pkg.go.dev/vuln/GO-2024-3186",`
`51`		`- "review_status": "UNREVIEWED"`
	`52`	`+ "review_status": "REVIEWED"`
`52`	`53`	`}`
`53`	`54`	`}`