vulndb/data/osv/GO-2022-1045.json

{
  "schema_version": "1.3.1",
  "id": "GO-2022-1045",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2022-39237",
    "GHSA-m5m3-46gj-wch8"
  ],
  "summary": "Improper validation of signature hash algorithms in github.com/sylabs/sif/v2",
  "details": "The Singularity Image Format (SIF) reference implementation does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.",
  "affected": [
    {
      "package": {
        "name": "github.com/sylabs/sif/v2",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/sylabs/sif/v2/pkg/integrity",
            "symbols": [
              "Signer.Sign",
              "Verifier.Verify",
              "digest.MarshalJSON",
              "digest.UnmarshalJSON",
              "newDigest",
              "signAndEncodeJSON",
              "verifyAndDecode"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"
    },
    {
      "type": "FIX",
      "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2022-1045",
    "review_status": "REVIEWED"
  }
}
data/reports: add GO-2022-1045.yaml for CVE-2022-39237 Fixes golang/vulndb#1045 Change-Id: I34f0537be66067e8b28d74a581ae1553ac341e85 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/443639 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-10-20 00:50:56 +03:00			`{`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"schema_version": "1.3.1",`
data/reports: add GO-2022-1045.yaml for CVE-2022-39237 Fixes golang/vulndb#1045 Change-Id: I34f0537be66067e8b28d74a581ae1553ac341e85 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/443639 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-10-20 00:50:56 +03:00			`"id": "GO-2022-1045",`
			`"modified": "0001-01-01T00:00:00Z",`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"published": "0001-01-01T00:00:00Z",`
data/reports: add GO-2022-1045.yaml for CVE-2022-39237 Fixes golang/vulndb#1045 Change-Id: I34f0537be66067e8b28d74a581ae1553ac341e85 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/443639 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-10-20 00:50:56 +03:00			`"aliases": [`
			`"CVE-2022-39237",`
			`"GHSA-m5m3-46gj-wch8"`
			`],`
internal/{osv,report}, data: publish summaries to OSV Modify ToOSV to publish the summary from the YAML report to OSV, and apply this change to each existing OSV report. For golang/go#56443 Change-Id: Iee78fe75f42fe9a52c6e4023ee9ad8dfa5feba8d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501203 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> 2023-06-06 21:13:32 +03:00			`"summary": "Improper validation of signature hash algorithms in github.com/sylabs/sif/v2",`
internal/database, data/osv: trim whitespace characters in OSV description In GenerateOSVEntry, replace all whitespace characters with single spaces except for paragraph breaks represented by "\n\n". Change-Id: Ia03f0b53c94979fada6316be1346df3f48b9fabe Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/439044 Run-TryBot: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-10-05 19:05:17 +03:00			`"details": "The Singularity Image Format (SIF) reference implementation does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.",`
data/reports: add GO-2022-1045.yaml for CVE-2022-39237 Fixes golang/vulndb#1045 Change-Id: I34f0537be66067e8b28d74a581ae1553ac341e85 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/443639 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-10-20 00:50:56 +03:00			`"affected": [`
			`{`
			`"package": {`
			`"name": "github.com/sylabs/sif/v2",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "0"`
			`},`
			`{`
			`"fixed": "2.8.1"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/sylabs/sif/v2/pkg/integrity",`
			`"symbols": [`
			`"Signer.Sign",`
			`"Verifier.Verify",`
			`"digest.MarshalJSON",`
			`"digest.UnmarshalJSON",`
			`"newDigest",`
			`"signAndEncodeJSON",`
			`"verifyAndDecode"`
			`]`
			`}`
			`]`
			`}`
			`}`
			`],`
			`"references": [`
			`{`
			`"type": "ADVISORY",`
			`"url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"`
			`},`
			`{`
			`"type": "FIX",`
			`"url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"`
			`}`
internal/report, data/osv: populate schema_version field in osv entries The vulnreport osv command now populates all generated osvs with the current schema version (1.3.1). This CL also updates all previous OSV entries to also have the current schema version. Change-Id: Ie95c91aae0ee623bbf50ff047190a0bbe59893d9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452440 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Maceo Thompson <maceothompson@google.com> 2022-11-21 21:47:08 +03:00			`],`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"database_specific": {`
data: apply REVIEWED status to all existing reports and osv Change-Id: I862c5bb24b9c08c29f0d437fd1be61da0319ef0d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585517 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-05-14 22:19:00 +03:00			`"url": "https://pkg.go.dev/vuln/GO-2022-1045",`
			`"review_status": "REVIEWED"`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`}`
data/reports: add GO-2022-1045.yaml for CVE-2022-39237 Fixes golang/vulndb#1045 Change-Id: I34f0537be66067e8b28d74a581ae1553ac341e85 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/443639 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-10-20 00:50:56 +03:00			`}`