From a8695ec45e265fb03702edf0f4159a7a30c6237a Mon Sep 17 00:00:00 2001 From: Zvonimir Pavlinovic Date: Mon, 7 Nov 2022 16:21:19 -0800 Subject: [PATCH] data/reports: add GO-2022-1098.yaml Aliases: CVE-2022-44797, GHSA-2chg-86hq-7w38 Fixes golang/vulndb#1098 Change-Id: Ibb647ca668635dbaa2321c8fbc4a14451fa02d70 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/448536 Reviewed-by: Damien Neil Run-TryBot: Zvonimir Pavlinovic TryBot-Result: Gopher Robot --- data/osv/GO-2022-1098.json | 76 ++++++++++++++++++++++++++++++++++ data/reports/GO-2022-1098.yaml | 35 ++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 data/osv/GO-2022-1098.json create mode 100644 data/reports/GO-2022-1098.yaml diff --git a/data/osv/GO-2022-1098.json b/data/osv/GO-2022-1098.json new file mode 100644 index 00000000..8504cdd8 --- /dev/null +++ b/data/osv/GO-2022-1098.json @@ -0,0 +1,76 @@ +{ + "id": "GO-2022-1098", + "published": "0001-01-01T00:00:00Z", + "modified": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2022-44797", + "GHSA-2chg-86hq-7w38" + ], + "details": "Erroneous message decoding can cause denial of service.\n\nImproper checking of maximum witness size during node message decoding prevented nodes in Lightning Labs lnd (before 0.15.2-beta) to sync.", + "affected": [ + { + "package": { + "name": "github.com/btcsuite/btcd", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.23.2" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1098" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/btcsuite/btcd/wire", + "symbols": [ + "MsgBlock.BtcDecode", + "MsgBlock.Deserialize", + "MsgBlock.DeserializeNoWitness", + "MsgBlock.DeserializeTxLoc", + "MsgTx.BtcDecode", + "MsgTx.Deserialize", + "MsgTx.DeserializeNoWitness", + "ReadMessage", + "ReadMessageN", + "ReadMessageWithEncodingN" + ] + } + ] + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2chg-86hq-7w38" + }, + { + "type": "REPORT", + "url": "https://github.com/lightningnetwork/lnd/issues/7002" + }, + { + "type": "FIX", + "url": "https://github.com/btcsuite/btcd/pull/1896/commits/f523d4ccaa5f34a2f761f16a05f5d6e6665b1168" + }, + { + "type": "WEB", + "url": "https://github.com/btcsuite/btcd/releases/tag/v0.23.2" + } + ], + "credits": [ + { + "name": "rsafier and Roasbeef (Github aliases)" + } + ] +} \ No newline at end of file diff --git a/data/reports/GO-2022-1098.yaml b/data/reports/GO-2022-1098.yaml new file mode 100644 index 00000000..1e38b562 --- /dev/null +++ b/data/reports/GO-2022-1098.yaml @@ -0,0 +1,35 @@ +modules: + - module: github.com/btcsuite/btcd + versions: + - fixed: 0.23.2 + vulnerable_at: 0.23.1 + packages: + - package: github.com/btcsuite/btcd/wire + symbols: + - MsgTx.BtcDecode + derived_symbols: + - MsgBlock.BtcDecode + - MsgBlock.Deserialize + - MsgBlock.DeserializeNoWitness + - MsgBlock.DeserializeTxLoc + - MsgTx.Deserialize + - MsgTx.DeserializeNoWitness + - ReadMessage + - ReadMessageN + - ReadMessageWithEncodingN +description: | + Erroneous message decoding can cause denial of service. + + Improper checking of maximum witness size during node + message decoding prevented nodes in Lightning Labs lnd + (before 0.15.2-beta) to sync. +cves: + - CVE-2022-44797 +ghsas: + - GHSA-2chg-86hq-7w38 +credit: rsafier and Roasbeef (Github aliases) +references: + - advisory: https://github.com/advisories/GHSA-2chg-86hq-7w38 + - report: https://github.com/lightningnetwork/lnd/issues/7002 + - fix: https://github.com/btcsuite/btcd/pull/1896/commits/f523d4ccaa5f34a2f761f16a05f5d6e6665b1168 + - web: https://github.com/btcsuite/btcd/releases/tag/v0.23.2