data/reports: add GO-2024-2824.yaml
Aliases: CVE-2024-24788
Updates golang/vulndb#2824
Change-Id: I5c0423bfa540ed0b3d0104bc10bebd3ce26c9368
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/583779
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/cve/v5/GO-2024-2824.json b/data/cve/v5/GO-2024-2824.json
new file mode 100644
index 0000000..fdedd74
--- /dev/null
+++ b/data/cve/v5/GO-2024-2824.json
@@ -0,0 +1,170 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2024-24788"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "title": "Malformed DNS message can cause infinite loop in net",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Go standard library",
+ "product": "net",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "net",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.21.10",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.22.0-0",
+ "lessThan": "1.22.3",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "extractExtendedRCode"
+ },
+ {
+ "name": "Dial"
+ },
+ {
+ "name": "DialTimeout"
+ },
+ {
+ "name": "Dialer.Dial"
+ },
+ {
+ "name": "Dialer.DialContext"
+ },
+ {
+ "name": "Listen"
+ },
+ {
+ "name": "ListenConfig.Listen"
+ },
+ {
+ "name": "ListenConfig.ListenPacket"
+ },
+ {
+ "name": "ListenPacket"
+ },
+ {
+ "name": "LookupAddr"
+ },
+ {
+ "name": "LookupCNAME"
+ },
+ {
+ "name": "LookupHost"
+ },
+ {
+ "name": "LookupIP"
+ },
+ {
+ "name": "LookupMX"
+ },
+ {
+ "name": "LookupNS"
+ },
+ {
+ "name": "LookupSRV"
+ },
+ {
+ "name": "LookupTXT"
+ },
+ {
+ "name": "ResolveIPAddr"
+ },
+ {
+ "name": "ResolveTCPAddr"
+ },
+ {
+ "name": "ResolveUDPAddr"
+ },
+ {
+ "name": "Resolver.LookupAddr"
+ },
+ {
+ "name": "Resolver.LookupCNAME"
+ },
+ {
+ "name": "Resolver.LookupHost"
+ },
+ {
+ "name": "Resolver.LookupIP"
+ },
+ {
+ "name": "Resolver.LookupIPAddr"
+ },
+ {
+ "name": "Resolver.LookupMX"
+ },
+ {
+ "name": "Resolver.LookupNS"
+ },
+ {
+ "name": "Resolver.LookupNetIP"
+ },
+ {
+ "name": "Resolver.LookupSRV"
+ },
+ {
+ "name": "Resolver.LookupTXT"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE 400: Uncontrolled Resource Consumption"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/66754"
+ },
+ {
+ "url": "https://go.dev/cl/578375"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2824"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "@long-name-let-people-remember-you"
+ },
+ {
+ "lang": "en",
+ "value": "Mateusz Poliwczak"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2824.json b/data/osv/GO-2024-2824.json
new file mode 100644
index 0000000..aca48f5
--- /dev/null
+++ b/data/osv/GO-2024-2824.json
@@ -0,0 +1,102 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2824",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-24788"
+ ],
+ "summary": "Malformed DNS message can cause infinite loop in net",
+ "details": "A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.",
+ "affected": [
+ {
+ "package": {
+ "name": "stdlib",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.21.10"
+ },
+ {
+ "introduced": "1.22.0-0"
+ },
+ {
+ "fixed": "1.22.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "net",
+ "symbols": [
+ "Dial",
+ "DialTimeout",
+ "Dialer.Dial",
+ "Dialer.DialContext",
+ "Listen",
+ "ListenConfig.Listen",
+ "ListenConfig.ListenPacket",
+ "ListenPacket",
+ "LookupAddr",
+ "LookupCNAME",
+ "LookupHost",
+ "LookupIP",
+ "LookupMX",
+ "LookupNS",
+ "LookupSRV",
+ "LookupTXT",
+ "ResolveIPAddr",
+ "ResolveTCPAddr",
+ "ResolveUDPAddr",
+ "Resolver.LookupAddr",
+ "Resolver.LookupCNAME",
+ "Resolver.LookupHost",
+ "Resolver.LookupIP",
+ "Resolver.LookupIPAddr",
+ "Resolver.LookupMX",
+ "Resolver.LookupNS",
+ "Resolver.LookupNetIP",
+ "Resolver.LookupSRV",
+ "Resolver.LookupTXT",
+ "extractExtendedRCode"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "REPORT",
+ "url": "https://go.dev/issue/66754"
+ },
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/578375"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0"
+ }
+ ],
+ "credits": [
+ {
+ "name": "@long-name-let-people-remember-you"
+ },
+ {
+ "name": "Mateusz Poliwczak"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2824"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2824.yaml b/data/reports/GO-2024-2824.yaml
new file mode 100644
index 0000000..61c64cf
--- /dev/null
+++ b/data/reports/GO-2024-2824.yaml
@@ -0,0 +1,59 @@
+id: GO-2024-2824
+modules:
+ - module: std
+ versions:
+ - fixed: 1.21.10
+ - introduced: 1.22.0-0
+ fixed: 1.22.3
+ vulnerable_at: 1.22.2
+ packages:
+ - package: net
+ symbols:
+ - extractExtendedRCode
+ derived_symbols:
+ - Dial
+ - DialTimeout
+ - Dialer.Dial
+ - Dialer.DialContext
+ - Listen
+ - ListenConfig.Listen
+ - ListenConfig.ListenPacket
+ - ListenPacket
+ - LookupAddr
+ - LookupCNAME
+ - LookupHost
+ - LookupIP
+ - LookupMX
+ - LookupNS
+ - LookupSRV
+ - LookupTXT
+ - ResolveIPAddr
+ - ResolveTCPAddr
+ - ResolveUDPAddr
+ - Resolver.LookupAddr
+ - Resolver.LookupCNAME
+ - Resolver.LookupHost
+ - Resolver.LookupIP
+ - Resolver.LookupIPAddr
+ - Resolver.LookupMX
+ - Resolver.LookupNS
+ - Resolver.LookupNetIP
+ - Resolver.LookupSRV
+ - Resolver.LookupTXT
+summary: Malformed DNS message can cause infinite loop in net
+description: |-
+ A malformed DNS message in response to a query can cause the Lookup functions to
+ get stuck in an infinite loop.
+credits:
+ - '@long-name-let-people-remember-you'
+ - Mateusz Poliwczak
+references:
+ - report: https://go.dev/issue/66754
+ - fix: https://go.dev/cl/578375
+ - web: https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
+cve_metadata:
+ id: CVE-2024-24788
+ cwe: 'CWE 400: Uncontrolled Resource Consumption'
+source:
+ id: go-security-team
+ created: 2024-05-07T16:56:31.886878-04:00
