data/reports: add GO-2024-2826.yaml

Aliases: CVE-2024-32886, GHSA-649x-hxfx-57j2 Fixes #2826 Change-Id: I6ed71a1ba6370f517ae7fdce8eccf608d93db326 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584257 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
golang · May 10, 2024 · a3ba6c6 · a3ba6c6
1 parent fe9f8b1
commit a3ba6c6
Show file tree

Hide file tree

Showing 2 changed files with 329 additions and 0 deletions.
diff --git a/data/osv/GO-2024-2826.json b/data/osv/GO-2024-2826.json
@@ -0,0 +1,191 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2826",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-32886",
+    "GHSA-649x-hxfx-57j2"
+  ],
+  "summary": "Denial of service attack by triggering unbounded memory usage in vitess.io/vitess",
+  "details": "When executing a query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM. This causes a denial of service.",
+  "affected": [
+    {
+      "package": {
+        "name": "vitess.io/vitess",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.17.7"
+            },
+            {
+              "introduced": "0.18.0"
+            },
+            {
+              "fixed": "0.18.5"
+            },
+            {
+              "introduced": "0.19.0"
+            },
+            {
+              "fixed": "0.19.4"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "vitess.io/vitess/go/mysql/collations/charset",
+            "symbols": [
+              "Convert",
+              "ConvertFromBinary",
+              "ConvertFromUTF8",
+              "Validate",
+              "convertSlow"
+            ]
+          },
+          {
+            "path": "vitess.io/vitess/go/mysql/collations/charset/unicode",
+            "symbols": [
+              "Charset_ucs2.DecodeRune",
+              "Charset_utf16be.DecodeRune",
+              "Charset_utf16be.EncodeRune",
+              "Charset_utf32.EncodeRune"
+            ]
+          },
+          {
+            "path": "vitess.io/vitess/go/vt/vtgate/evalengine",
+            "symbols": [
+              "Add",
+              "AggregateEvalTypes",
+              "CoerceTo",
+              "CoerceTypes",
+              "Column.Format",
+              "Column.FormatFast",
+              "Comparison.ApplyTinyWeights",
+              "Comparison.Compare",
+              "Comparison.Less",
+              "Comparison.More",
+              "Comparison.Sort",
+              "Comparison.SortResult",
+              "CompiledExpr.Format",
+              "CompiledExpr.FormatFast",
+              "Divide",
+              "EvalResult.MustBoolean",
+              "EvalResult.String",
+              "EvalResult.ToBoolean",
+              "EvalResult.ToBooleanStrict",
+              "EvalResult.TupleValues",
+              "EvalResult.Value",
+              "ExpressionEnv.Evaluate",
+              "ExpressionEnv.EvaluateVM",
+              "FieldResolver.Column",
+              "IntroducerExpr.eval",
+              "Literal.Format",
+              "Literal.FormatFast",
+              "Merger.Init",
+              "Merger.Pop",
+              "Merger.Push",
+              "Multiply",
+              "NewLiteralBinaryFromBit",
+              "NewLiteralDateFromBytes",
+              "NewLiteralDatetimeFromBytes",
+              "NewLiteralDecimalFromBytes",
+              "NewLiteralFloatFromBytes",
+              "NewLiteralIntegralFromBytes",
+              "NewLiteralTimeFromBytes",
+              "NullSafeAdd",
+              "NullsafeCompare",
+              "NullsafeHashcode",
+              "NullsafeHashcode128",
+              "OrderByParams.Compare",
+              "OrderByParams.String",
+              "Sorter.Push",
+              "Sorter.Sorted",
+              "Subtract",
+              "Translate",
+              "TupleBindVariable.Format",
+              "TupleBindVariable.FormatFast",
+              "TupleExpr.Format",
+              "TupleExpr.FormatFast",
+              "UnsupportedCollationError.Error",
+              "UntypedExpr.Compile",
+              "UntypedExpr.Format",
+              "UntypedExpr.FormatFast",
+              "WeightString",
+              "aggregationDecimal.Add",
+              "aggregationDecimal.Max",
+              "aggregationDecimal.Min",
+              "aggregationFloat.Add",
+              "aggregationFloat.Max",
+              "aggregationFloat.Min",
+              "aggregationInt.Add",
+              "aggregationInt.Max",
+              "aggregationInt.Min",
+              "aggregationMinMax.Max",
+              "aggregationMinMax.Min",
+              "aggregationSumAny.Add",
+              "aggregationSumCount.Add",
+              "aggregationUint.Add",
+              "aggregationUint.Max",
+              "aggregationUint.Min",
+              "argError.Error",
+              "assembler.Fn_JSON_KEYS",
+              "assembler.Fn_REGEXP_REPLACE_slow",
+              "assembler.PushLiteral",
+              "astCompiler.translateIntroducerExpr",
+              "errJSONType.Error",
+              "evalBytes.Hash"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71"
+    }
+  ],
+  "credits": [
+    {
+      "name": "@dbussink, @mattrobenolt, and @vmg"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2826"
+  }
+}
diff --git a/data/reports/GO-2024-2826.yaml b/data/reports/GO-2024-2826.yaml
@@ -0,0 +1,138 @@
+id: GO-2024-2826
+modules:
+    - module: vitess.io/vitess
+      versions:
+        - fixed: 0.17.7
+        - introduced: 0.18.0
+          fixed: 0.18.5
+        - introduced: 0.19.0
+          fixed: 0.19.4
+      non_go_versions:
+        - fixed: 17.0.7
+        - introduced: 18.0.0
+          fixed: 18.0.5
+        - introduced: 19.0.0
+          fixed: 19.0.4
+      vulnerable_at: 0.19.0
+      packages:
+        - package: vitess.io/vitess/go/mysql/collations/charset
+          symbols:
+            - convertSlow
+            - Validate
+          derived_symbols:
+            - Convert
+            - ConvertFromBinary
+            - ConvertFromUTF8
+        - package: vitess.io/vitess/go/mysql/collations/charset/unicode
+          symbols:
+            - Charset_utf16be.EncodeRune
+            - Charset_utf16be.DecodeRune
+            - Charset_ucs2.DecodeRune
+            - Charset_utf32.EncodeRune
+        - package: vitess.io/vitess/go/vt/vtgate/evalengine
+          symbols:
+            - assembler.Fn_REGEXP_REPLACE_slow
+            - IntroducerExpr.eval
+            - astCompiler.translateIntroducerExpr
+          derived_symbols:
+            - Add
+            - AggregateEvalTypes
+            - CoerceTo
+            - CoerceTypes
+            - Column.Format
+            - Column.FormatFast
+            - Comparison.ApplyTinyWeights
+            - Comparison.Compare
+            - Comparison.Less
+            - Comparison.More
+            - Comparison.Sort
+            - Comparison.SortResult
+            - CompiledExpr.Format
+            - CompiledExpr.FormatFast
+            - Divide
+            - EvalResult.MustBoolean
+            - EvalResult.String
+            - EvalResult.ToBoolean
+            - EvalResult.ToBooleanStrict
+            - EvalResult.TupleValues
+            - EvalResult.Value
+            - ExpressionEnv.Evaluate
+            - ExpressionEnv.EvaluateVM
+            - FieldResolver.Column
+            - Literal.Format
+            - Literal.FormatFast
+            - Merger.Init
+            - Merger.Pop
+            - Merger.Push
+            - Multiply
+            - NewLiteralBinaryFromBit
+            - NewLiteralDateFromBytes
+            - NewLiteralDatetimeFromBytes
+            - NewLiteralDecimalFromBytes
+            - NewLiteralFloatFromBytes
+            - NewLiteralIntegralFromBytes
+            - NewLiteralTimeFromBytes
+            - NullSafeAdd
+            - NullsafeCompare
+            - NullsafeHashcode
+            - NullsafeHashcode128
+            - OrderByParams.Compare
+            - OrderByParams.String
+            - Sorter.Push
+            - Sorter.Sorted
+            - Subtract
+            - Translate
+            - TupleBindVariable.Format
+            - TupleBindVariable.FormatFast
+            - TupleExpr.Format
+            - TupleExpr.FormatFast
+            - UnsupportedCollationError.Error
+            - UntypedExpr.Compile
+            - UntypedExpr.Format
+            - UntypedExpr.FormatFast
+            - WeightString
+            - aggregationDecimal.Add
+            - aggregationDecimal.Max
+            - aggregationDecimal.Min
+            - aggregationFloat.Add
+            - aggregationFloat.Max
+            - aggregationFloat.Min
+            - aggregationInt.Add
+            - aggregationInt.Max
+            - aggregationInt.Min
+            - aggregationMinMax.Max
+            - aggregationMinMax.Min
+            - aggregationSumAny.Add
+            - aggregationSumCount.Add
+            - aggregationUint.Add
+            - aggregationUint.Max
+            - aggregationUint.Min
+            - argError.Error
+            - assembler.Fn_JSON_KEYS
+            - assembler.PushLiteral
+            - errJSONType.Error
+            - evalBytes.Hash
+summary: |-
+    Denial of service attack by triggering unbounded memory usage in
+    vitess.io/vitess
+description: |-
+    When executing a query, the vtgate will go into an endless
+    loop that also keeps consuming memory and eventually will OOM.
+    This causes a denial of service.
+cves:
+    - CVE-2024-32886
+ghsas:
+    - GHSA-649x-hxfx-57j2
+credits:
+    - '@dbussink, @mattrobenolt, and @vmg'
+references:
+    - advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2
+    - fix: https://github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df
+    - fix: https://github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055
+    - fix: https://github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d
+    - fix: https://github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202
+    - web: https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79
+    - web: https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71
+source:
+    id: GHSA-649x-hxfx-57j2
+    created: 2024-05-10T11:07:07.249403-07:00