data/reports: review GO-2024-3122

tatianab · gopherbot · commit dc9d1b0bf27d · 2024-12-12T13:58:48.000-08:00
- data/reports/GO-2024-3122.yaml Fixes #3122 Change-Id: I378a46511dd58191591d9d6e3d8caf9a6c902771 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635703 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/osv/GO-2024-3122.json b/data/osv/GO-2024-3122.json
@@ -7,8 +7,8 @@
     "CVE-2024-45039",
     "GHSA-q3hw-3gm4-w5cr"
   ],
-  "summary": "gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",
-  "details": "gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",
+  "summary": "Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",
+  "details": "Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",
   "affected": [
     {
       "package": {
@@ -35,14 +35,10 @@
     {
       "type": "ADVISORY",
       "url": "https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr"
-    },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45039"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3122",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3122.yaml b/data/reports/GO-2024-3122.yaml
@@ -4,15 +4,18 @@ modules:
       versions:
         - fixed: 0.11.0
       vulnerable_at: 0.10.0
-summary: gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark
+summary: |-
+    Groth16 commitment extension unsound for more than one commitment in
+    github.com/consensys/gnark
 cves:
     - CVE-2024-45039
 ghsas:
     - GHSA-q3hw-3gm4-w5cr
 references:
     - advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45039
+notes:
+    - The fix mentioned in the advisory (https://github.com/Consensys/gnark/commit/e7c66b000454f4d2a4ae48c005c34154d4cfc2a2) does not exist, and I was not able to locate the real fix.
 source:
     id: GHSA-q3hw-3gm4-w5cr
-    created: 2024-11-12T11:30:11.924411-05:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-12T14:10:57.751829-05:00
+review_status: REVIEWED

Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@`
`7`	`7`	`"CVE-2024-45039",`
`8`	`8`	`"GHSA-q3hw-3gm4-w5cr"`
`9`	`9`	`],`
`10`		`- "summary": "gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",`
`11`		`- "details": "gnark's Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",`
	`10`	`+ "summary": "Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",`
	`11`	`+ "details": "Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark",`
`12`	`12`	`"affected": [`
`13`	`13`	`{`
`14`	`14`	`"package": {`
`@@ -35,14 +35,10 @@`
`35`	`35`	`{`
`36`	`36`	`"type": "ADVISORY",`
`37`	`37`	`"url": "https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr"`
`38`		`- },`
`39`		`- {`
`40`		`- "type": "ADVISORY",`
`41`		`- "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45039"`
`42`	`38`	`}`
`43`	`39`	`],`
`44`	`40`	`"database_specific": {`
`45`	`41`	`"url": "https://pkg.go.dev/vuln/GO-2024-3122",`
`46`		`- "review_status": "UNREVIEWED"`
	`42`	`+ "review_status": "REVIEWED"`
`47`	`43`	`}`
`48`	`44`	`}`