security/vuxml: Document Go vulnerabilities

2022-06-07 07:33:03 -05:00 · 2022-06-07 07:33:03 -05:00 · f35fdab00d
commit f35fdab00d
parent 976fb87003
1 changed files with 63 additions and 2 deletions
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@ -1,3 +1,64 @@
+  <vuln vid="15888c7e-e659-11ec-b7fe-10c37b4ac2ea">
+    <topic>go -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>go118</name>
+	<range><lt>1.18.3</lt></range>
+      </package>
+      <package>
+	<name>go117</name>
+	<range><lt>1.17.11</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Go project reports:</p>
+	<blockquote cite="https://go.dev/issue/52561">
+	  <p>crypto/rand: rand.Read hangs with extremely large buffers</p>
+	  <p>On Windows, rand.Read will hang indefinitely if passed a
+	    buffer larger than 1 &lt;&lt; 32 - 1 bytes.</p>
+	</blockquote>
+	<blockquote cite="https://go.dev/issue/52814">
+	  <p>crypto/tls: session tickets lack random ticket_age_add</p>
+	  <p>Session tickets generated by crypto/tls did not contain
+	    a randomly generated ticket_age_add. This allows an
+	    attacker that can observe TLS handshakes to correlate
+	    successive connections by comparing ticket ages during
+	    session resumption.</p>
+	</blockquote>
+	<blockquote cite="https://go.dev/issue/52574">
+	  <p>os/exec: empty Cmd.Path can result in running unintended
+	    binary on Windows</p>
+	  <p>If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or
+	    cmd.CombinedOutput are executed when Cmd.Path is unset
+	    and, in the working directory, there are binaries named
+	    either "..com" or "..exe", they will be executed.</p>
+	</blockquote>
+	<blockquote cite="https://go.dev/issue/52476">
+	  <p>path/filepath: Clean(`.\c:`) returns `c:` on Windows</p>
+	  <p>On Windows, the filepath.Clean function could convert an
+	    invalid path to a valid, absolute path. For example,
+	    Clean(`.\c:`) returned `c:`.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://groups.google.com/g/golang-dev/c/DidEMYAH_n0</url>
+      <cvename>CVE-2022-30634</cvename>
+      <url>https://go.dev/issue/52561</url>
+      <cvename>CVE-2022-30629</cvename>
+      <url>https://go.dev/issue/52814</url>
+      <cvename>CVE-2022-30580</cvename>
+      <url>https://go.dev/issue/52574</url>
+      <cvename>CVE-2022-29804</cvename>
+      <url>https://go.dev/issue/52476</url>
+    </references>
+    <dates>
+      <discovery>2022-06-01</discovery>
+      <entry>2022-06-07</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="a58f3fde-e4e0-11ec-8340-2d623369b8b5">
    <topic>e2fsprogs -- out-of-bounds read/write vulnerability</topic>
    <affects>
@ -331,7 +392,7 @@
      </package>
      <package>
 	<name>go117</name>
-	<range><lt>1.17.10,1</lt></range>
+	<range><lt>1.17.10</lt></range>
      </package>
    </affects>
    <description>
@ -682,7 +743,7 @@
      </package>
      <package>
 	<name>go117</name>
-	<range><lt>1.17.9,1</lt></range>
+	<range><lt>1.17.9</lt></range>
      </package>
    </affects>
    <description>