search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 62 forks source link

x/vulndb: suggestion regarding GO-2024-3166 #3195

Closed RebeccaMahany closed 1 month ago

RebeccaMahany commented 1 month ago

Report ID

GO-2024-3166

Suggestion/Comment

https://www.cve.org/CVERecord?id=CVE-2024-47534 was updated today, stating that affected versions are affected at versions >= 2.0.0, < 2.0.1. Therefore, github.com/theupdateframework/go-tuf should not be marked as all versions, no known fixed affected by GO-2024-3166.

maceonthompson commented 1 month ago

Thanks for the suggestion!

From what I can tell, github.com/theupdateframework/go-tuf is only version 0.7.0. It seems that the last patch for v1 was in 2023, whereas the patches addressing the vulnerability are for v2.

If a patch is applied to v1 then the vulndb entry should be updated, but v2 is correctly being marked vulnerable at version 2.0.0, and not vulnerable at versions 2.0.1 and 2.0.2.

Feel free to re-open if you feel that I'm misunderstanding/missing info!

RebeccaMahany commented 1 month ago

The vulnerability was introduced in v2, which is why the CVE says the affected versions are >= 2.0.0 -- the vulnerability was never present in versions prior to v2, and therefore not present in github.com/theupdateframework/go-tuf. So I believe GO-2024-3166 should be updated to note that it does not apply to github.com/theupdateframework/go-tuf, only to github.com/theupdateframework/go-tuf/v2.

Unfortunately I'm not able to reopen this issue -- @maceonthompson.

maceonthompson commented 1 month ago

Thanks for the clarification, sorry for the miss on my end. Updated the report, you should see the changes soon. @RebeccaMahany

RebeccaMahany commented 1 month ago

Thank you for taking another look -- I appreciate it!