data/reports: add 5 reports

- data/reports/GO-2025-3372.yaml - data/reports/GO-2025-3373.yaml - data/reports/GO-2025-3383.yaml - data/reports/GO-2025-3420.yaml - data/reports/GO-2025-3421.yaml Fixes #3372 Fixes #3373 Fixes #3383 Fixes #3420 Fixes #3421 Change-Id: I38b618da8b38ec1916022d63d4a901ed097e26dc Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/644855 Auto-Submit: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
golang · Jan 28, 2025 · 785857f · 785857f
1 parent b808447
commit 785857f
Show file tree

Hide file tree

Showing 15 changed files with 1,428 additions and 0 deletions.
diff --git a/data/cve/v5/GO-2025-3372.json b/data/cve/v5/GO-2025-3372.json
@@ -0,0 +1,251 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2024-45339"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "title": "Vulnerability when creating log files in github.com/golang/glog",
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "github.com/golang/glog",
+          "product": "github.com/golang/glog",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "github.com/golang/glog",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "1.2.4",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "programRoutines": [
+            {
+              "name": "create"
+            },
+            {
+              "name": "Error"
+            },
+            {
+              "name": "ErrorContext"
+            },
+            {
+              "name": "ErrorContextDepth"
+            },
+            {
+              "name": "ErrorContextDepthf"
+            },
+            {
+              "name": "ErrorContextf"
+            },
+            {
+              "name": "ErrorDepth"
+            },
+            {
+              "name": "ErrorDepthf"
+            },
+            {
+              "name": "Errorf"
+            },
+            {
+              "name": "Errorln"
+            },
+            {
+              "name": "Exit"
+            },
+            {
+              "name": "ExitContext"
+            },
+            {
+              "name": "ExitContextDepth"
+            },
+            {
+              "name": "ExitContextDepthf"
+            },
+            {
+              "name": "ExitContextf"
+            },
+            {
+              "name": "ExitDepth"
+            },
+            {
+              "name": "ExitDepthf"
+            },
+            {
+              "name": "Exitf"
+            },
+            {
+              "name": "Exitln"
+            },
+            {
+              "name": "Fatal"
+            },
+            {
+              "name": "FatalContext"
+            },
+            {
+              "name": "FatalContextDepth"
+            },
+            {
+              "name": "FatalContextDepthf"
+            },
+            {
+              "name": "FatalContextf"
+            },
+            {
+              "name": "FatalDepth"
+            },
+            {
+              "name": "FatalDepthf"
+            },
+            {
+              "name": "Fatalf"
+            },
+            {
+              "name": "Fatalln"
+            },
+            {
+              "name": "Info"
+            },
+            {
+              "name": "InfoContext"
+            },
+            {
+              "name": "InfoContextDepth"
+            },
+            {
+              "name": "InfoContextDepthf"
+            },
+            {
+              "name": "InfoContextf"
+            },
+            {
+              "name": "InfoDepth"
+            },
+            {
+              "name": "InfoDepthf"
+            },
+            {
+              "name": "Infof"
+            },
+            {
+              "name": "Infoln"
+            },
+            {
+              "name": "Verbose.Info"
+            },
+            {
+              "name": "Verbose.InfoContext"
+            },
+            {
+              "name": "Verbose.InfoContextDepth"
+            },
+            {
+              "name": "Verbose.InfoContextDepthf"
+            },
+            {
+              "name": "Verbose.InfoContextf"
+            },
+            {
+              "name": "Verbose.InfoDepth"
+            },
+            {
+              "name": "Verbose.InfoDepthf"
+            },
+            {
+              "name": "Verbose.Infof"
+            },
+            {
+              "name": "Verbose.Infoln"
+            },
+            {
+              "name": "Warning"
+            },
+            {
+              "name": "WarningContext"
+            },
+            {
+              "name": "WarningContextDepth"
+            },
+            {
+              "name": "WarningContextDepthf"
+            },
+            {
+              "name": "WarningContextf"
+            },
+            {
+              "name": "WarningDepth"
+            },
+            {
+              "name": "WarningDepthf"
+            },
+            {
+              "name": "Warningf"
+            },
+            {
+              "name": "Warningln"
+            },
+            {
+              "name": "fileSink.Emit"
+            },
+            {
+              "name": "logBridge.Write"
+            },
+            {
+              "name": "syncBuffer.Write"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2"
+        },
+        {
+          "url": "https://github.com/golang/glog/pull/74"
+        },
+        {
+          "url": "https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs"
+        },
+        {
+          "url": "https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2025-3372"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Josh McSavaney"
+        },
+        {
+          "lang": "en",
+          "value": "Günther Noack"
+        }
+      ]
+    }
+  }
+}