data/reports: add GO-2024-2660.yaml

Aliases: CVE-2024-1394, GHSA-78hx-gp6g-7mj6

Fixes #2660

Change-Id: Ifed9ed6ce036a23df9bd1f853ec2ff891609b24a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/573475
Run-TryBot: Tim King <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: timothy-king

data/osv/GO-2024-2660.json

@@ -0,0 +1,136 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2660",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-1394",
+    "GHSA-78hx-gp6g-7mj6"
+  ],
+  "summary": "Memory leak in github.com/golang-fips/openssl/v2 and github.com/microsoft/go-crypto-openssl",
+  "details": "Using crafted public RSA keys can cause a small memory leak when encrypting and verifying payloads. This can be gradually leveraged into a denial of service attack.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/golang-fips/openssl/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/golang-fips/openssl/v2",
+            "symbols": [
+              "DecryptRSANoPadding",
+              "DecryptRSAOAEP",
+              "DecryptRSAPKCS1",
+              "EncryptRSANoPadding",
+              "EncryptRSAOAEP",
+              "EncryptRSAPKCS1",
+              "NewGCMTLS",
+              "NewGCMTLS13",
+              "NewRC4Cipher",
+              "SignMarshalECDSA",
+              "SignRSAPKCS1v15",
+              "SignRSAPSS",
+              "VerifyECDSA",
+              "VerifyRSAPKCS1v15",
+              "VerifyRSAPSS",
+              "aesCipher.Decrypt",
+              "aesCipher.Encrypt",
+              "aesCipher.NewCBCDecrypter",
+              "aesCipher.NewCBCEncrypter",
+              "aesCipher.NewCTR",
+              "aesCipher.NewGCM",
+              "aesCipher.NewGCMTLS",
+              "aesCipher.NewGCMTLS13",
+              "desCipher.Decrypt",
+              "desCipher.Encrypt",
+              "desCipher.NewCBCDecrypter",
+              "desCipher.NewCBCEncrypter",
+              "desCipherWithoutCBC.Decrypt",
+              "desCipherWithoutCBC.Encrypt",
+              "newCipherCtx",
+              "noGCM.Decrypt",
+              "noGCM.Encrypt",
+              "setupEVP"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/microsoft/go-crypto-openssl",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.2.9"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/microsoft/go-crypto-openssl/openssl",
+            "symbols": [
+              "DecryptRSANoPadding",
+              "DecryptRSAOAEP",
+              "DecryptRSAOAEPWithMGF1Hash",
+              "DecryptRSAPKCS1",
+              "EncryptRSANoPadding",
+              "EncryptRSAOAEP",
+              "EncryptRSAOAEPWithMGF1Hash",
+              "EncryptRSAPKCS1",
+              "SignMarshalECDSA",
+              "SignRSAPKCS1v15",
+              "SignRSAPSS",
+              "VerifyECDSA",
+              "VerifyRSAPKCS1v15",
+              "VerifyRSAPSS",
+              "setupEVP"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f"
+    }
+  ],
+  "credits": [
+    {
+      "name": "@qmuntal and @r3kumar"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2660"
+  }
+}

data/reports/GO-2024-2660.yaml

@@ -0,0 +1,85 @@
+id: GO-2024-2660
+modules:
+    - module: github.com/golang-fips/openssl/v2
+      versions:
+        - fixed: 2.0.1
+      vulnerable_at: 2.0.0
+      packages:
+        - package: github.com/golang-fips/openssl/v2
+          symbols:
+            - newCipherCtx
+            - setupEVP
+          derived_symbols:
+            - DecryptRSANoPadding
+            - DecryptRSAOAEP
+            - DecryptRSAPKCS1
+            - EncryptRSANoPadding
+            - EncryptRSAOAEP
+            - EncryptRSAPKCS1
+            - NewGCMTLS
+            - NewGCMTLS13
+            - NewRC4Cipher
+            - SignMarshalECDSA
+            - SignRSAPKCS1v15
+            - SignRSAPSS
+            - VerifyECDSA
+            - VerifyRSAPKCS1v15
+            - VerifyRSAPSS
+            - aesCipher.Decrypt
+            - aesCipher.Encrypt
+            - aesCipher.NewCBCDecrypter
+            - aesCipher.NewCBCEncrypter
+            - aesCipher.NewCTR
+            - aesCipher.NewGCM
+            - aesCipher.NewGCMTLS
+            - aesCipher.NewGCMTLS13
+            - desCipher.Decrypt
+            - desCipher.Encrypt
+            - desCipher.NewCBCDecrypter
+            - desCipher.NewCBCEncrypter
+            - desCipherWithoutCBC.Decrypt
+            - desCipherWithoutCBC.Encrypt
+            - noGCM.Decrypt
+            - noGCM.Encrypt
+    - module: github.com/microsoft/go-crypto-openssl
+      versions:
+        - fixed: 0.2.9
+      vulnerable_at: 0.2.8
+      packages:
+        - package: github.com/microsoft/go-crypto-openssl/openssl
+          symbols:
+            - setupEVP
+          derived_symbols:
+            - DecryptRSANoPadding
+            - DecryptRSAOAEP
+            - DecryptRSAOAEPWithMGF1Hash
+            - DecryptRSAPKCS1
+            - EncryptRSANoPadding
+            - EncryptRSAOAEP
+            - EncryptRSAOAEPWithMGF1Hash
+            - EncryptRSAPKCS1
+            - SignMarshalECDSA
+            - SignRSAPKCS1v15
+            - SignRSAPSS
+            - VerifyECDSA
+            - VerifyRSAPKCS1v15
+            - VerifyRSAPSS
+summary: |-
+    Memory leak in github.com/golang-fips/openssl/v2 and
+    github.com/microsoft/go-crypto-openssl
+description: |-
+    Using crafted public RSA keys can cause a small memory leak when encrypting and
+    verifying payloads. This can be gradually leveraged into a denial of service
+    attack.
+cves:
+    - CVE-2024-1394
+ghsas:
+    - GHSA-78hx-gp6g-7mj6
+credits:
+    - '@qmuntal and @r3kumar'
+references:
+    - fix: https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136
+    - fix: https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f
+notes:
+    - github.com/golang-fips/go is patches to go standard compiler and library.
+    - github.com/microsoft/go is a clone of the go standard compiler and library. This is outside of what vulncheck can handle.