data/reports: review 2 reports

- data/reports/GO-2024-3101.yaml - data/reports/GO-2024-3339.yaml Fixes #3101 Fixes #3339 Change-Id: I76912805ed1c8c185041f8d157beaa99a48ee30c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/637980 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
golang · Dec 20, 2024 · 854d032 · 854d032
1 parent 1de53ca
commit 854d032
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 14 deletions.
diff --git a/data/osv/GO-2024-3101.json b/data/osv/GO-2024-3101.json
@@ -6,8 +6,8 @@
   "aliases": [
     "GHSA-75qh-gg76-p2w4"
   ],
-  "summary": "CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",
-  "details": "CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",
+  "summary": "Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm",
+  "details": "A specifically crafted Wasm file can cause the VM to consume excessive amounts of memory when compiling a contract. This can lead to high memory usage, slowdowns, potentially a crash and can poison a lock in the VM, preventing any further interaction with contracts.",
   "affected": [
     {
       "package": {
@@ -72,6 +72,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3101",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/osv/GO-2024-3339.json b/data/osv/GO-2024-3339.json
@@ -6,9 +6,40 @@
   "aliases": [
     "GHSA-8wcc-m6j2-qxvm"
   ],
-  "summary": "ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
-  "details": "ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
+  "summary": "Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
+  "details": "Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk",
   "affected": [
+    {
+      "package": {
+        "name": "cosmossdk.io/x/tx",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.13.7"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "cosmossdk.io/x/tx/decode",
+            "symbols": [
+              "Decoder.Decode",
+              "RejectUnknownFields",
+              "RejectUnknownFieldsStrict"
+            ]
+          }
+        ]
+      }
+    },
     {
       "package": {
         "name": "github.com/cosmos/cosmos-sdk",
@@ -33,7 +64,23 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cosmos/cosmos-sdk/codec/types",
+            "symbols": [
+              "interfaceRegistry.UnpackAny"
+            ]
+          },
+          {
+            "path": "github.com/cosmos/cosmos-sdk/codec/unknownproto",
+            "symbols": [
+              "RejectUnknownFields",
+              "RejectUnknownFieldsStrict"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -56,6 +103,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3339",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3101.yaml b/data/reports/GO-2024-3101.yaml
@@ -10,7 +10,12 @@ modules:
         - introduced: 1.5.0
         - fixed: 1.5.1
       vulnerable_at: 1.5.0
-summary: 'CWA-2023-004: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm'
+summary: Excessive number of function parameters in compiled Wasm in github.com/CosmWasm/wasmvm
+description: |-
+    A specifically crafted Wasm file can cause the VM to consume excessive amounts
+    of memory when compiling a contract. This can lead to high memory usage,
+    slowdowns, potentially a crash and can poison a lock in the VM, preventing any
+    further interaction with contracts.
 ghsas:
     - GHSA-75qh-gg76-p2w4
 references:
@@ -19,7 +24,9 @@ references:
     - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2023-004.md
     - web: https://rustsec.org/advisories/RUSTSEC-2024-0366.html
     - web: https://www.certik.com/resources/blog/risk-and-security-enhancement-for-app-chains-an-in-depth-writeup-of-cwa-2023
+notes:
+    - Could not determine exactly which Go packages are affected, so leaving whole module as affected out of caution.
 source:
     id: GHSA-75qh-gg76-p2w4
-    created: 2024-12-20T10:04:11.705159-10:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-20T10:42:53.394291-10:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2024-3339.yaml b/data/reports/GO-2024-3339.yaml
@@ -1,14 +1,34 @@
 id: GO-2024-3339
 modules:
+    - module: cosmossdk.io/x/tx
+      versions:
+        - fixed: 0.13.7
+      vulnerable_at: 0.13.6
+      packages:
+        - package: cosmossdk.io/x/tx/decode
+          symbols:
+            - RejectUnknownFields
+          derived_symbols:
+            - Decoder.Decode
+            - RejectUnknownFieldsStrict
     - module: github.com/cosmos/cosmos-sdk
       versions:
         - fixed: 0.47.15
         - introduced: 0.50.0-alpha.0
         - fixed: 0.50.11
       vulnerable_at: 0.50.10
+      packages:
+        - package: github.com/cosmos/cosmos-sdk/codec/types
+          symbols:
+            - interfaceRegistry.UnpackAny
+        - package: github.com/cosmos/cosmos-sdk/codec/unknownproto
+          symbols:
+            - RejectUnknownFields
+          derived_symbols:
+            - RejectUnknownFieldsStrict
 summary: |-
-    ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a
-    stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk
+    Transaction decoding may result in a stack overflow or resource exhaustion in
+    github.com/cosmos/cosmos-sdk
 ghsas:
     - GHSA-8wcc-m6j2-qxvm
 references:
@@ -18,5 +38,5 @@ references:
     - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11
 source:
     id: GHSA-8wcc-m6j2-qxvm
-    created: 2024-12-17T08:21:26.241857-05:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-20T10:42:55.054352-10:00
+review_status: REVIEWED