data/reports: add GO-2022-1165.yaml Aliases: CVE-2022-23525, GHSA-53c4-hhmh-vw5q Fixes golang/vulndb#1165 Change-Id: If01e32a86f5097aea622cfe957c5a84d6d84b2dd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/459222 Run-TryBot: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Auto-Submit: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/reports/GO-2022-1165.yaml b/data/reports/GO-2022-1165.yaml new file mode 100644 index 0000000..4e13840 --- /dev/null +++ b/data/reports/GO-2022-1165.yaml
@@ -0,0 +1,44 @@ +modules: + - module: helm.sh/helm/v3 + versions: + - fixed: 3.10.3 + vulnerable_at: 3.10.2 + packages: + - package: helm.sh/helm/v3/pkg/repo + symbols: + - IndexFile.MustAdd + - loadIndex + - File.Remove + derived_symbols: + - ChartRepository.DownloadIndexFile + - ChartRepository.Index + - ChartRepository.Load + - FindChartInAuthAndTLSAndPassRepoURL + - FindChartInAuthAndTLSRepoURL + - FindChartInAuthRepoURL + - FindChartInRepoURL + - IndexDirectory + - IndexFile.Add + - LoadIndexFile +description: | + Applications that use the repo package in the Helm SDK to parse an index + file can suffer a Denial of Service when that input causes a panic that + cannot be recovered from. + + The repo package contains a handler that processes the index file of a + repository. For example, the Helm client adds references to chart + repositories where charts are managed. The repo package parses the index + file of the repository and loads it into memory. Some index files can cause + array data structures to be created causing a memory violation. + + The Helm Client will panic with an index file that causes a memory + violation panic. Helm is not a long running service so the panic will not + affect future uses of the Helm client. +cves: + - CVE-2022-23525 +ghsas: + - GHSA-53c4-hhmh-vw5q +credit: Ada Logics, in a fuzzing audit sponsored by CNCF +references: + - advisory: https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q + - fix: https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b