data/reports: add GO-2022-1008.yaml for CVE-2022-2990

Fixes golang/vulndb#1008

Change-Id: Ie11e4e5f93c7619e9554951eac39b77370484db7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/432167
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>

data/osv/GO-2022-1008.json

@@ -0,0 +1,55 @@
+{
+  "id": "GO-2022-1008",
+  "published": "0001-01-01T00:00:00Z",
+  "modified": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-2990",
+    "GHSA-fjm8-m7m6-2fjp"
+  ],
+  "details": "SGID programs executed in a container can access files that have negative\ngroup permissions for the user's primary group.\n\nConsider a file which is owned by user u1 and group g1, permits user and\nother read access, and does NOT permit group read access. This file is\nreadable by u1 and all other users except for ones in group g1.\n\nA program with the set-group-ID (SGID) bit set assumes the primary group\nof the program's group when it executes.\n\nA user with the primary group g1 who executes an SGID program owned by\ngroup g2 should not be able to access the file described above. While\nthe program executes with the primary group g2, the group g1 should\nremain in its supplementary groups, blocking access to the file.\n\nBuildah does not correctly add g1 to the supplementary groups in this\nscenario, permitting unauthorized access.\n",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/containers/buildah",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.27.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "url": "https://pkg.go.dev/vuln/GO-2022-1008"
+      },
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/containers/buildah",
+            "symbols": [
+              "Builder.Run",
+              "Builder.configureUIDGID"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ARTICLE",
+      "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b"
+    }
+  ]
+}

data/reports/GO-2022-1008.yaml

@@ -0,0 +1,36 @@
+modules:
+  - module: github.com/containers/buildah
+    versions:
+      - fixed: 1.27.1
+    vulnerable_at: 1.27.0
+    packages:
+      - package: github.com/containers/buildah
+        symbols:
+          - Builder.configureUIDGID
+        derived_symbols:
+          - Builder.Run
+description: |
+    SGID programs executed in a container can access files that have negative
+    group permissions for the user's primary group.
+
+    Consider a file which is owned by user u1 and group g1, permits user and
+    other read access, and does NOT permit group read access. This file is
+    readable by u1 and all other users except for ones in group g1.
+
+    A program with the set-group-ID (SGID) bit set assumes the primary group
+    of the program's group when it executes.
+
+    A user with the primary group g1 who executes an SGID program owned by
+    group g2 should not be able to access the file described above. While
+    the program executes with the primary group g2, the group g1 should
+    remain in its supplementary groups, blocking access to the file.
+
+    Buildah does not correctly add g1 to the supplementary groups in this
+    scenario, permitting unauthorized access.
+cves:
+  - CVE-2022-2990
+ghsas:
+  - GHSA-fjm8-m7m6-2fjp
+references:
+  - article: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
+  - fix: https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b