reports: add a handful of CVEs

Results of testing new CVE triaging tooling. Also adds a file which
tracks which CVEs have been triaged. Still need to add all of the
false positives, but would like to fine tune the triage tooling first
to hopefully cut down the number of them.

Change-Id: I7591b10f5abc5e73b6a3291beeaedca0032ad02f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1053804
Reviewed-by: Roland Shoemaker <[email protected]>

Author: rolandshoemaker

Diff for: reports/GO-2020-0005.toml

@@ -14,9 +14,6 @@ credit = "Trail of Bits"
 symbols = ["WAL.ReadAll"]
 
 [[versions]]
-# Do we also need a way to indicate "fixed after this version, but also these specific
-# earlier point releases are also fixed"? In this case >= 3.4.10 is fixed, but so was
-# 3.3.23
 fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"
 
 [links]

Diff for: reports/GO-2021-0056.toml

@@ -1,4 +1,5 @@
-module = "github.com/russellhaering/goxmldsig"
+module = "github.com/dexidp/dex"
+package = "github.com/dexidp/dex/connector/saml"
 
 description = """
 An XML message can be maliciously crafted such that signature
@@ -9,11 +10,11 @@ cve = "CVE-2020-15216"
 
 credit = "Juho Nurminen (Mattermost)"
 
-symbols = ["ValidationContext.findSignature"]
+symbols = ["provider.HandlePOST"]
 
 [[versions]]
-fixed = "v1.1.0"
+fixed = "v0.0.0-20201214082111-324b1c886b40"
 
 [links]
 commit = "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8"
-context = ["https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"]
+context = ["https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"]

Diff for: reports/GO-2021-0070.toml

@@ -0,0 +1,26 @@
+module = "github.com/opencontainers/runc"
+package = "github.com/opencontainers/runc/libcontainer/user"
+
+description = """
+GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
+improperly interpred numeric UIDs as usernames. If the method is used without
+verify usernames are formatted as expected, it may allow a user to gain unexpected
+privileges.
+"""
+
+cve = "CVE-2016-3697"
+
+symbols = ["GetExecUser"]
+
+[[versions]]
+fixed = "v0.1.0"
+
+[links]
+commit = "https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091"
+pr = "https://github.com/opencontainers/runc/pull/708"
+context = [
+    "https://github.com/docker/docker/issues/21436",
+    "http://rhn.redhat.com/errata/RHSA-2016-1034.html",
+    "http://rhn.redhat.com/errata/RHSA-2016-2634.html",
+    "https://security.gentoo.org/glsa/201612-28"
+]

Diff for: reports/GO-2021-0071.toml

@@ -0,0 +1,22 @@
+module = "github.com/lxc/lxd"
+package = "github.com/lxc/lxd/shared"
+
+description = """
+A race between chown and chmod operations during a container filesystem shift
+may allow a user who can modify the filesystem to chmod an arbitary path of
+their choice, rather than the expected path.
+"""
+
+cve = "CVE-2015-1340"
+
+credit = "Seth Arnold"
+
+symbols = ["IdmapSet.doUidshiftIntoContainer"]
+
+[[versions]]
+fixed = "v0.0.0-20151004155856-19c6961cc101"
+
+[links]
+commit = "https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4"
+pr = "https://github.com/lxc/lxd/pull/1189"
+context = ["https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270"]

Diff for: reports/GO-2021-0072.toml

@@ -0,0 +1,30 @@
+module = "github.com/docker/distribution"
+package = "github.com/docker/distribution/registry/handlers"
+
+description = """
+Various storage methods do not impose limits on how much content is accepted
+from user requests, allowing a malicious user to force the caller to allocate
+an arbitary amount of memory.
+"""
+
+cve = "CVE-2017-11468"
+
+symbols = ["copyFullPayload"]
+
+[[versions]]
+fixed = "v2.7.0-rc.0+incompatible"
+
+[[additional_packages]]
+module = "github.com/docker/distribution"
+package = "github.com/docker/distribution/registry/storage"
+symbols = ["blobStore.Get"]
+[[additional_packages.versions]]
+fixed = "v2.7.0-rc.0+incompatible"
+
+[links]
+commit = "https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"
+pr = "https://github.com/distribution/distribution/pull/2340"
+context = [
+    "https://access.redhat.com/errata/RHSA-2017:2603",
+    "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"
+]

Diff for: reports/GO-2021-0073.toml

@@ -0,0 +1,24 @@
+module = "github.com/git-lfs/git-lfs"
+package = "github.com/git-lfs/git-lfs/lfsapi"
+
+description = """
+Arbitary command execution can be triggered by improperly
+sanitized SSH URLs in LFS configuration files. This can be
+triggered by cloning a malicious repoistory.
+"""
+
+cve = "CVE-2017-17831"
+
+symbols = ["sshGetLFSExeAndArgs"]
+
+[[versions]]
+fixed = "v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible"
+
+[links]
+commit = "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"
+pr = "https://github.com/git-lfs/git-lfs/pull/2241"
+context = [
+    "http://blog.recurity-labs.com/2017-08-10/scm-vulns",
+    "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html",
+    "http://www.securityfocus.com/bid/102926"
+]

Diff for: reports/GO-2021-0075.toml

@@ -0,0 +1,19 @@
+module = "github.com/ethereum/go-ethereum"
+package = "github.com/ethereum/go-ethereum/les"
+
+description = """
+Due to improper argument validation in RPC messages, a maliciously crafted
+message can cause a panic, leading to denial of service.
+"""
+
+cve = "CVE-2018-12018"
+
+symbols = ["protocolManager.handleMsg"]
+
+[[versions]]
+fixed = "v1.8.11"
+
+[links]
+commit = "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
+pr = "https://github.com/ethereum/go-ethereum/pull/16891"
+context = ["https://peckshield.com/2018/06/27/EPoD/"]

Diff for: reports/GO-2021-0076.toml

@@ -0,0 +1,18 @@
+module = "github.com/evanphx/json-patch"
+
+description = """
+A malicious JSON patch can cause a panic due to an out-of-bounds
+write attempt. This can be used as a denial of service vector if
+exposed to arbitary user input.
+"""
+
+cve = "CVE-2018-14632"
+
+symbols = ["partialArray.add"]
+
+[[versions]]
+fixed = "v0.5.2"
+
+[links]
+commit = "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03"
+pr = "https://github.com/evanphx/json-patch/pull/57"

Diff for: reports/GO-2021-0077.toml

@@ -0,0 +1,20 @@
+module = "go.etcd.io/etcd"
+package = "go.etcd.io/etcd/auth"
+
+description = """
+A user can use a valid client certificate that contains a CommonName that matches a
+valid RBAC username to authenticate themselves as that user, despite lacking the
+required credentials. This may allow authentication bypass, but requires a certificate
+that is issued by a CA trusted by the server.
+"""
+
+cve = "CVE-2018-16886"
+
+symbols = ["authStore.AuthInfoFromTLS"]
+
+[[versions]]
+fixed = "v0.5.0-alpha.5.0.20190108173120-83c051b701d3"
+
+[links]
+commit = "https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2"
+pr = "https://github.com/etcd-io/etcd/pull/10366"

Diff for: reports/GO-2021-0078.toml

@@ -0,0 +1,26 @@
+module = "golang.org/x/net"
+package = "golang.org/x/net/html"
+
+description = """
+The HTML parser does not properly handle "in frameset" insertion mode, and can be made
+to panic when operating on malformed HTML that contains <template> tags. If operating
+on user input, this may be a vector for a denial of service attack.
+"""
+
+cve = "CVE-2018-17075"
+
+credit = "Kunpei Sakai"
+
+symbols = ["inBodyIM", "inFramesetIM"]
+
+[[versions]]
+fixed = "v0.0.0-20180816102801-aaf60122140d"
+
+[links]
+commit = "https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50"
+pr = "https://go-review.googlesource.com/123776"
+context = [
+    "https://github.com/golang/go/issues/27016",
+    "https://bugs.chromium.org/p/chromium/issues/detail?id=829668",
+    "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906"
+]

Diff for: reports/GO-2021-0079.toml

@@ -0,0 +1,22 @@
+module = "github.com/bytom/bytom"
+package = "github.com/bytom/bytom/p2p/discover"
+
+description = """
+A malformed query can cause an out-of-bounds panic due to improper
+validation of arguments. If processing queries from untrusted
+parties, this may be used as a vector for denial of service
+attacks.
+"""
+
+cve = "CVE-2018-18206"
+
+credit = "@yahtoo"
+
+symbols = ["Network.checkTopicRegister"]
+
+[[versions]]
+fixed = "v1.0.4-0.20180831054840-1ac3c8ac4f2b"
+
+[links]
+commit = "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
+pr = "https://github.com/Bytom/bytom/pull/1307"

Diff for: reports/GO-2021-0081.toml

@@ -0,0 +1,24 @@
+module = "github.com/containers/image"
+package = "github.com/containers/image/docker"
+
+description = """
+The HTTP client used to connect to the container registry authorization
+service explicitly disables TLS verification, allowing an attacker that
+is able to MITM the connection to steal credentials.
+"""
+
+cve = "CVE-2019-10214"
+
+symbols = ["dockerClient.getBearerToken"]
+
+[[versions]]
+introduced = ""
+fixed = "v2.0.2-0.20190802080134-634605d06e73+incompatible"
+
+[links]
+commit = "https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf"
+pr = "https://github.com/containers/image/pull/669"
+context = [
+    "https://github.com/containers/image/issues/654",
+    "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214"
+]

Diff for: reports/GO-2021-0082.toml

@@ -0,0 +1,19 @@
+module = "github.com/facebook/fbthrift"
+package = "github.com/facebook/fbthrift/thrift/lib/go/thrift"
+
+description = """
+Thirft Servers preallocate memory for the declared size of messages before
+checking the actual size of the message. This allows a malicious user to
+send messages that declare that they are significantly larger than they
+actually are, allowing them to force the server to allocate significant
+amounts of memory. This can be used as a denial of service vector.
+"""
+
+cve = "CVE-2019-11939"
+
+[[versions]]
+fixed = "v0.31.1-0.20200311080807-483ed864d69f"
+
+[links]
+commit = "https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757"
+context = ["https://www.facebook.com/security/advisories/cve-2019-11939"]

Diff for: reports/GO-2021-0083.toml

@@ -0,0 +1,19 @@
+module = "github.com/hybridgroup/gobot"
+package = "github.com/hybridgroup/gobot/platforms/mqtt"
+
+description = """
+TLS certificate verification is skipped when connecting to a MQTT server.
+This allows an attacker who can MITM the connection to read, or forge,
+messages passed between the client and server.
+"""
+
+cve = "CVE-2019-12496"
+
+symbols = ["Adaptor.newTLSConfig"]
+
+[[versions]]
+fixed = "v1.12.1-0.20190521122906-c1aa4f867846"
+
+[links]
+commit = "https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f"
+context = ["https://github.com/hybridgroup/gobot/releases/tag/v1.13.0"]

Diff for: reports/GO-2021-0084.toml

@@ -0,0 +1,21 @@
+module = "github.com/astaxie/beego"
+package = "github.com/astaxie/beego/session"
+
+description = """
+Session data is stored using permissive permissions, allowing local users
+with filesystem access to read arbitary data.
+"""
+
+cve = "CVE-2019-16354"
+
+credit = "@nicowaisman"
+
+symbols = ["FileProvider.SessionRead", "FileProvider.SessionRegenerate"]
+
+[[versions]]
+fixed = "v1.12.2-0.20200613154013-bac2b31afecc"
+
+[links]
+commit = "https://github.com/beego/beego/commit/bac2b31afecc65d9a89f9e473b8006c5edc0c8d1"
+pr = "https://github.com/beego/beego/pull/3975"
+context = ["https://github.com/beego/beego/issues/3763"]

Diff for: reports/GO-2021-0085.toml

@@ -0,0 +1,25 @@
+module = "github.com/opencontainers/runc"
+package = "github.com/opencontainers/runc/libcontainer"
+
+description = """
+AppArmor restrictions may be bypassed due to improper validation of mount
+targets, allowing a malicious image to mount volumes over e.g. /proc.
+"""
+
+cve = "CVE-2019-16884"
+
+credit = "Leopold Schabel"
+
+[[versions]]
+fixed = "v1.0.0-rc8.0.20190930145003-cad42f6e0932"
+
+[[additional_packages]]
+module = "github.com/opencontainers/selinux"
+package = "github.com/opencontainers/selinux/go-selinux"
+[[additional_packages.versions]]
+fixed = "v1.3.1-0.20190929122143-5215b1806f52"
+
+[links]
+commit = "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4"
+pr = "https://github.com/opencontainers/runc/pull/2130"
+context = ["https://github.com/opencontainers/runc/issues/2128"]

Diff for: reports/GO-2021-0086.toml

@@ -0,0 +1,17 @@
+module = "github.com/documize/community"
+package = "github.com/documize/community/domain/section/markdown"
+
+description = """
+HTML content in mardkwon is not santized during rendering, possibly allowing
+XSS if used to render untrusted user input.
+"""
+
+cve = "CVE-2019-19619"
+
+symbols = ["Provider.Render"]
+
+[[versions]]
+fixed = "v1.76.3-0.20191119114751-a4384210d4d0"
+
+[links]
+commit = "https://github.com/documize/community/commit/a4384210d4d0d6b18e6fdb7e155de96d4a1cf9f3"