Skip to content

Commit 72bcb35

Browse files
tatianabtatianab
committed
data/reports: add vulnerable_at to GO-2021-0098.yaml
Aliases: CVE-2021-21237, GHSA-cx3w-xqmc-84g5 Updates #98 Change-Id: I69c91b82b7b477c494c2ef8884b0e8d6e034589e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/465798 Run-TryBot: Tatiana Bradley <[email protected]> Reviewed-by: Tim King <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
1 parent b0e70d0 commit 72bcb35

File tree

2 files changed

+47
-6
lines changed

2 files changed

+47
-6
lines changed

data/osv/GO-2021-0098.json

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,14 @@
3737
"windows"
3838
],
3939
"symbols": [
40-
"PipeCommand"
40+
"PipeCommand",
41+
"PipeMediaCommand",
42+
"Run",
43+
"lockVerifier.Verify",
44+
"singleCheckout.Run",
45+
"singleCheckout.RunToPath",
46+
"uploadContext.NewQueue",
47+
"uploadContext.UploadPointers"
4148
]
4249
},
4350
{
@@ -46,7 +53,11 @@
4653
"windows"
4754
],
4855
"symbols": [
56+
"AskPassCredentialHelper.Fill",
4957
"AskPassCredentialHelper.getFromProgram",
58+
"CredentialHelperWrapper.FillCreds",
59+
"CredentialHelpers.Approve",
60+
"CredentialHelpers.Fill",
5061
"commandCredentialHelper.Approve"
5162
]
5263
},
@@ -56,6 +67,9 @@
5667
"windows"
5768
],
5869
"symbols": [
70+
"GitFilter.Clean",
71+
"GitFilter.Smudge",
72+
"GitFilter.SmudgeToFile",
5973
"pipeExtensions"
6074
]
6175
},
@@ -65,7 +79,13 @@
6579
"windows"
6680
],
6781
"symbols": [
68-
"sshAuthClient.Resolve"
82+
"Client.Do",
83+
"Client.DoWithAccess",
84+
"Client.HttpClient",
85+
"Client.NewRequest",
86+
"Client.Transport",
87+
"sshAuthClient.Resolve",
88+
"sshCache.Resolve"
6989
]
7090
}
7191
]

data/reports/GO-2021-0098.yaml

Lines changed: 25 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,32 +2,53 @@ modules:
22
- module: github.com/git-lfs/git-lfs
33
versions:
44
- fixed: 1.5.1-0.20210113180018-fc664697ed2c
5+
vulnerable_at: 1.5.1-0.20201211195948-e896fc7af7db
56
packages:
67
- package: github.com/git-lfs/git-lfs/commands
78
goos:
89
- windows
910
symbols:
1011
- PipeCommand
11-
skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
12+
derived_symbols:
13+
- PipeMediaCommand
14+
- Run
15+
- lockVerifier.Verify
16+
- singleCheckout.Run
17+
- singleCheckout.RunToPath
18+
- uploadContext.NewQueue
19+
- uploadContext.UploadPointers
1220
- package: github.com/git-lfs/git-lfs/creds
1321
goos:
1422
- windows
1523
symbols:
1624
- AskPassCredentialHelper.getFromProgram
1725
- commandCredentialHelper.Approve
18-
skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
26+
derived_symbols:
27+
- AskPassCredentialHelper.Fill
28+
- CredentialHelperWrapper.FillCreds
29+
- CredentialHelpers.Approve
30+
- CredentialHelpers.Fill
1931
- package: github.com/git-lfs/git-lfs/lfs
2032
goos:
2133
- windows
2234
symbols:
2335
- pipeExtensions
24-
skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
36+
derived_symbols:
37+
- GitFilter.Clean
38+
- GitFilter.Smudge
39+
- GitFilter.SmudgeToFile
2540
- package: github.com/git-lfs/git-lfs/lfshttp
2641
goos:
2742
- windows
2843
symbols:
2944
- sshAuthClient.Resolve
30-
skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
45+
derived_symbols:
46+
- Client.Do
47+
- Client.DoWithAccess
48+
- Client.HttpClient
49+
- Client.NewRequest
50+
- Client.Transport
51+
- sshCache.Resolve
3152
description: |
3253
Due to the standard library behavior of exec.LookPath on Windows a number of methods may
3354
result in arbitrary code execution when cloning or operating on untrusted Git repositories.

0 commit comments

Comments
 (0)