data/reports: update GO-2024-3167

- data/reports/GO-2024-3167.yaml Updates #3167 Fixes #3229 Change-Id: I289eb4e5b94c275a3157e6c580b0ea649ac50914 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/623935 Auto-Submit: Tatiana Bradley <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]>
golang · Nov 5, 2024 · b05c7fc · b05c7fc
1 parent c65acd9
commit b05c7fc
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 45 deletions.
diff --git a/data/osv/GO-2024-3167.json b/data/osv/GO-2024-3167.json
@@ -8,7 +8,7 @@
     "GHSA-3h3x-2hwv-hr52"
   ],
   "summary": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
-  "details": "Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl",
+  "details": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.",
   "affected": [
     {
       "package": {
@@ -26,23 +26,6 @@
         }
       ],
       "ecosystem_specific": {}
-    },
-    {
-      "package": {
-        "name": "github.com/golang-fips/openssl/v2",
-        "ecosystem": "Go"
-      },
-      "ranges": [
-        {
-          "type": "SEMVER",
-          "events": [
-            {
-              "introduced": "0"
-            }
-          ]
-        }
-      ],
-      "ecosystem_specific": {}
     }
   ],
   "references": [
@@ -51,28 +34,16 @@
       "url": "https://github.com/advisories/GHSA-3h3x-2hwv-hr52"
     },
     {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
-    },
-    {
-      "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2024:7502"
-    },
-    {
-      "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2024:7550"
-    },
-    {
-      "type": "WEB",
-      "url": "https://access.redhat.com/security/cve/CVE-2024-9355"
+      "type": "FIX",
+      "url": "https://github.com/golang-fips/openssl/pull/198"
     },
     {
       "type": "WEB",
-      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
+      "url": "https://github.com/github/advisory-database/pull/4950"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3167",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3167.yaml b/data/reports/GO-2024-3167.yaml
@@ -2,23 +2,25 @@ id: GO-2024-3167
 modules:
     - module: github.com/golang-fips/openssl
       vulnerable_at: 0.0.0-20230605154532-724e32b0f4b8
-    - module: github.com/golang-fips/openssl/v2
-      unsupported_versions:
-        - last_affected: 2.0.3
-      vulnerable_at: 2.0.3
 summary: Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl
+description: |-
+    A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious
+    user to randomly cause an uninitialized buffer length variable with a zeroed
+    buffer to be returned in FIPS mode. It may also be possible to force a false
+    positive match between non-equal hashes when comparing a trusted computed hmac
+    sum to an untrusted input sum if an attacker can send a zeroed buffer in place
+    of a pre-computed sum. It is also possible to force a derived key to be all
+    zeros instead of an unpredictable value. This may have follow-on implications
+    for the Go TLS stack.
 cves:
     - CVE-2024-9355
 ghsas:
     - GHSA-3h3x-2hwv-hr52
 references:
     - advisory: https://github.com/advisories/GHSA-3h3x-2hwv-hr52
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9355
-    - web: https://access.redhat.com/errata/RHSA-2024:7502
-    - web: https://access.redhat.com/errata/RHSA-2024:7550
-    - web: https://access.redhat.com/security/cve/CVE-2024-9355
-    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2315719
+    - fix: https://github.com/golang-fips/openssl/pull/198
+    - web: https://github.com/github/advisory-database/pull/4950
 source:
     id: GHSA-3h3x-2hwv-hr52
-    created: 2024-10-08T10:58:05.90723-04:00
-review_status: UNREVIEWED
+    created: 2024-10-31T09:56:02.572206-04:00
+review_status: REVIEWED