data/reports: add GO-2023-1631.yaml
Aliases: CVE-2023-24535
Updates golang/vulndb#1631
Change-Id: If969c534b888ca71d337a6dc85e691839973488d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/476098
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
diff --git a/data/cve/v5/GO-2023-1631.json b/data/cve/v5/GO-2023-1631.json
new file mode 100644
index 0000000..2baa92b
--- /dev/null
+++ b/data/cve/v5/GO-2023-1631.json
@@ -0,0 +1,95 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-24535"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "google.golang.org/protobuf",
+ "product": "google.golang.org/protobuf/encoding/prototext",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "google.golang.org/protobuf/encoding/prototext",
+ "versions": [
+ {
+ "version": "1.29.0",
+ "lessThan": "1.29.1",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "UnmarshalOptions.unmarshal"
+ },
+ {
+ "name": "Unmarshal"
+ },
+ {
+ "name": "UnmarshalOptions.Unmarshal"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "vendor": "google.golang.org/protobuf",
+ "product": "google.golang.org/protobuf/internal/encoding/text",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "google.golang.org/protobuf/internal/encoding/text",
+ "versions": [
+ {
+ "version": "1.29.0",
+ "lessThan": "1.29.1",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "parseNumber"
+ },
+ {
+ "name": "Decoder.Peek"
+ },
+ {
+ "name": "Decoder.Read"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-125: Out-of-bounds Read"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/475995"
+ },
+ {
+ "url": "https://github.com/golang/protobuf/issues/1530"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1631"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2023-1631.json b/data/osv/GO-2023-1631.json
new file mode 100644
index 0000000..8fe9e9e
--- /dev/null
+++ b/data/osv/GO-2023-1631.json
@@ -0,0 +1,64 @@
+{
+ "id": "GO-2023-1631",
+ "published": "0001-01-01T00:00:00Z",
+ "modified": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-24535"
+ ],
+ "details": "Parsing invalid messages can panic.\n\nParsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.",
+ "affected": [
+ {
+ "package": {
+ "name": "google.golang.org/protobuf",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.29.0"
+ },
+ {
+ "fixed": "1.29.1"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1631"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "google.golang.org/protobuf/encoding/prototext",
+ "symbols": [
+ "Unmarshal",
+ "UnmarshalOptions.Unmarshal",
+ "UnmarshalOptions.unmarshal"
+ ]
+ },
+ {
+ "path": "google.golang.org/protobuf/internal/encoding/text",
+ "symbols": [
+ "Decoder.Peek",
+ "Decoder.Read",
+ "parseNumber"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/475995"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/golang/protobuf/issues/1530"
+ }
+ ],
+ "schema_version": "1.3.1"
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-1631.yaml b/data/reports/GO-2023-1631.yaml
new file mode 100644
index 0000000..beac3c0
--- /dev/null
+++ b/data/reports/GO-2023-1631.yaml
@@ -0,0 +1,34 @@
+modules:
+ - module: google.golang.org/protobuf
+ versions:
+ - introduced: 1.29.0
+ fixed: 1.29.1
+ vulnerable_at: 1.29.0
+ packages:
+ - package: google.golang.org/protobuf/encoding/prototext
+ symbols:
+ - UnmarshalOptions.unmarshal
+ derived_symbols:
+ - Unmarshal
+ - UnmarshalOptions.Unmarshal
+ - package: google.golang.org/protobuf/internal/encoding/text
+ symbols:
+ - parseNumber
+ derived_symbols:
+ - Decoder.Peek
+ - Decoder.Read
+summary: |
+ Parsing invalid messages can panic.
+description: |
+ Parsing invalid messages can panic.
+
+ Parsing a text-format message which contains
+ a potential number consisting of a minus sign,
+ one or more characters of whitespace,
+ and no further input will cause a panic.
+references:
+ - fix: https://go.dev/cl/475995
+ - report: https://github.com/golang/protobuf/issues/1530
+cve_metadata:
+ id: CVE-2023-24535
+ cwe: 'CWE-125: Out-of-bounds Read'