data/reports: fix GO-2021-0228.yaml
Add vulnerable_at and missing affected package
Aliases: CVE-2020-7664, GHSA-vpx7-vm66-qx8r
Updates golang/vulndb#228
Change-Id: I768700d8f98d738f05119a1ad2dceb9c301b0ea1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/463680
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Tim King <taking@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2021-0228.json b/data/osv/GO-2021-0228.json
index 822d733..f7062dc 100644
--- a/data/osv/GO-2021-0228.json
+++ b/data/osv/GO-2021-0228.json
@@ -32,6 +32,21 @@
"ecosystem_specific": {
"imports": [
{
+ "path": "github.com/unknwon/cae/tz",
+ "symbols": [
+ "Create",
+ "ExtractTo",
+ "Open",
+ "OpenFile",
+ "TzArchive.Close",
+ "TzArchive.ExtractTo",
+ "TzArchive.ExtractToFunc",
+ "TzArchive.Flush",
+ "TzArchive.Open",
+ "TzArchive.syncFiles"
+ ]
+ },
+ {
"path": "github.com/unknwon/cae/zip",
"symbols": [
"Create",
@@ -39,16 +54,10 @@
"ExtractToFunc",
"Open",
"OpenFile",
- "TzArchive.ExtractToFunc",
- "TzArchive.ExtractToFunc",
- "TzArchive.syncFiles",
- "TzArchive.syncFiles",
"ZipArchive.Close",
"ZipArchive.ExtractTo",
"ZipArchive.ExtractToFunc",
- "ZipArchive.ExtractToFunc",
"ZipArchive.Flush",
- "ZipArchive.Open",
"ZipArchive.Open"
]
}
diff --git a/data/reports/GO-2021-0228.yaml b/data/reports/GO-2021-0228.yaml
index 5faed50..c4ed51b 100644
--- a/data/reports/GO-2021-0228.yaml
+++ b/data/reports/GO-2021-0228.yaml
@@ -2,11 +2,23 @@
- module: github.com/unknwon/cae
versions:
- fixed: 1.0.1
+ vulnerable_at: 1.0.0
packages:
- - package: github.com/unknwon/cae/zip
+ - package: github.com/unknwon/cae/tz
symbols:
- TzArchive.syncFiles
- TzArchive.ExtractToFunc
+ derived_symbols:
+ - Create
+ - ExtractTo
+ - Open
+ - OpenFile
+ - TzArchive.Close
+ - TzArchive.ExtractTo
+ - TzArchive.Flush
+ - TzArchive.Open
+ - package: github.com/unknwon/cae/zip
+ symbols:
- ZipArchive.Open
- ZipArchive.ExtractToFunc
derived_symbols:
@@ -15,13 +27,9 @@
- ExtractToFunc
- Open
- OpenFile
- - TzArchive.ExtractToFunc
- - TzArchive.syncFiles
- ZipArchive.Close
- ZipArchive.ExtractTo
- - ZipArchive.ExtractToFunc
- ZipArchive.Flush
- - ZipArchive.Open
description: |
The ExtractTo function doesn't securely escape file paths in zip archives
which include leading or non-leading "..". This allows an attacker to add or