reports/GO-2020-0005.toml - vulndb - Git at Google

 package = "github.com/etcd-io/etcd/wal"

 description = """
 Malformed WALs can be constructed such that [`WAL.ReadAll`][] can cause attempted
 out of bounds reads, or creation of arbitarily sized slices, which may be used as
 a DoS vector.
 """

 cve = "CVE-2020-15106"

 credit = "Trail of Bits"

 symbols = ["WAL.ReadAll"]

 [[versions]]
 # Do we also need a way to indicate "fixed after this version, but also these specific
 # earlier point releases are also fixed"? In this case >= 3.4.10 is fixed, but so was
 # 3.3.23
 fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"

 [links]
 pr = "https://github.com/etcd-io/etcd/pull/11793"
 commit = "https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07"
 context = ["https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf"]
	package = "github.com/etcd-io/etcd/wal"

	description = """
	Malformed WALs can be constructed such that [`WAL.ReadAll`][] can cause attempted
	out of bounds reads, or creation of arbitarily sized slices, which may be used as
	a DoS vector.
	"""

	cve = "CVE-2020-15106"

	credit = "Trail of Bits"

	symbols = ["WAL.ReadAll"]

	[[versions]]
	# Do we also need a way to indicate "fixed after this version, but also these specific
	# earlier point releases are also fixed"? In this case >= 3.4.10 is fixed, but so was
	# 3.3.23
	fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"

	[links]
	pr = "https://github.com/etcd-io/etcd/pull/11793"
	commit = "https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07"
	context = ["https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf"]