Google Git
Sign in
go / vulndb / 9c48f25872ed9afa51913ae646ca919ffcf221da^! / .
commit9c48f25872ed9afa51913ae646ca919ffcf221da[log] [tgz]
authorTatiana Bradley <tatianabradley@google.com>Thu Jan 26 16:06:26 2023 +0000
committerTatiana Bradley <tatianabradley@google.com>Tue Jan 31 19:20:06 2023 +0000
treee21b16313cb17bfbfc26c70a62c9beef2daaec7a
parentb83913cf72d1a1900e678efc9f1c6e461e297021 [diff]
data/reports: fix GO-2021-0228.yaml

Add vulnerable_at and missing affected package

Aliases: CVE-2020-7664, GHSA-vpx7-vm66-qx8r

Updates golang/vulndb#228

Change-Id: I768700d8f98d738f05119a1ad2dceb9c301b0ea1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/463680
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>

diff --git a/data/osv/GO-2021-0228.json b/data/osv/GO-2021-0228.json
index 822d733..f7062dc 100644
--- a/data/osv/GO-2021-0228.json
+++ b/data/osv/GO-2021-0228.json

@@ -32,6 +32,21 @@
       "ecosystem_specific": {
         "imports": [
           {
+            "path": "github.com/unknwon/cae/tz",
+            "symbols": [
+              "Create",
+              "ExtractTo",
+              "Open",
+              "OpenFile",
+              "TzArchive.Close",
+              "TzArchive.ExtractTo",
+              "TzArchive.ExtractToFunc",
+              "TzArchive.Flush",
+              "TzArchive.Open",
+              "TzArchive.syncFiles"
+            ]
+          },
+          {
             "path": "github.com/unknwon/cae/zip",
             "symbols": [
               "Create",
@@ -39,16 +54,10 @@
               "ExtractToFunc",
               "Open",
               "OpenFile",
-              "TzArchive.ExtractToFunc",
-              "TzArchive.ExtractToFunc",
-              "TzArchive.syncFiles",
-              "TzArchive.syncFiles",
               "ZipArchive.Close",
               "ZipArchive.ExtractTo",
               "ZipArchive.ExtractToFunc",
-              "ZipArchive.ExtractToFunc",
               "ZipArchive.Flush",
-              "ZipArchive.Open",
               "ZipArchive.Open"
             ]
           }

diff --git a/data/reports/GO-2021-0228.yaml b/data/reports/GO-2021-0228.yaml
index 5faed50..c4ed51b 100644
--- a/data/reports/GO-2021-0228.yaml
+++ b/data/reports/GO-2021-0228.yaml

@@ -2,11 +2,23 @@
   - module: github.com/unknwon/cae
     versions:
       - fixed: 1.0.1
+    vulnerable_at: 1.0.0
     packages:
-      - package: github.com/unknwon/cae/zip
+      - package: github.com/unknwon/cae/tz
         symbols:
           - TzArchive.syncFiles
           - TzArchive.ExtractToFunc
+        derived_symbols:
+          - Create
+          - ExtractTo
+          - Open
+          - OpenFile
+          - TzArchive.Close
+          - TzArchive.ExtractTo
+          - TzArchive.Flush
+          - TzArchive.Open
+      - package: github.com/unknwon/cae/zip
+        symbols:
           - ZipArchive.Open
           - ZipArchive.ExtractToFunc
         derived_symbols:
@@ -15,13 +27,9 @@
           - ExtractToFunc
           - Open
           - OpenFile
-          - TzArchive.ExtractToFunc
-          - TzArchive.syncFiles
           - ZipArchive.Close
           - ZipArchive.ExtractTo
-          - ZipArchive.ExtractToFunc
           - ZipArchive.Flush
-          - ZipArchive.Open
 description: |
     The ExtractTo function doesn't securely escape file paths in zip archives
     which include leading or non-leading "..". This allows an attacker to add or