data/reports: review GO-2024-3104

tatianab · gopherbot · commit ec8e9cf64dc1 · 2024-12-12T14:00:24.000-08:00
- data/reports/GO-2024-3104.yaml Fixes #3104 Change-Id: If5833ed05bfdf2e9a26f62b20979ba9c4d730be2 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635699 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2024-3104.json b/data/osv/GO-2024-3104.json
@@ -28,18 +28,29 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/ollama/ollama/cmd",
+            "symbols": [
+              "tempZipFiles"
+            ]
+          },
+          {
+            "path": "github.com/ollama/ollama/server",
+            "symbols": [
+              "parseFromZipFile"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/advisories/GHSA-846m-99qv-67mg"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45436"
-    },
     {
       "type": "FIX",
       "url": "https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527"
@@ -55,6 +66,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3104",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3104.yaml b/data/reports/GO-2024-3104.yaml
@@ -4,18 +4,28 @@ modules:
       versions:
         - fixed: 0.1.47
       vulnerable_at: 0.1.46
-summary: Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama
+      packages:
+        - package: github.com/ollama/ollama/cmd
+          symbols:
+            - tempZipFiles
+        - package: github.com/ollama/ollama/server
+          symbols:
+            - parseFromZipFile
+summary: |-
+    Ollama can extract members of a ZIP archive outside of the parent directory in
+    github.com/ollama/ollama
 cves:
     - CVE-2024-45436
 ghsas:
     - GHSA-846m-99qv-67mg
 references:
     - advisory: https://github.com/advisories/GHSA-846m-99qv-67mg
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45436
     - fix: https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527
     - fix: https://github.com/ollama/ollama/pull/5314
     - web: https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47
+notes:
+    - I was not able to generate derived symbols due to a cgo error.
 source:
     id: GHSA-846m-99qv-67mg
-    created: 2024-08-30T11:49:51.257019-04:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-12T13:00:47.375499-05:00
+review_status: REVIEWED
