reports: add remaining triaged CVEs

rolandshoemaker · rolandshoemaker · commit 3cd20f480990 · 2021-04-14T00:37:40.000Z
And add the false-positives to the triaged-cve-list. Change-Id: I64188841372d99d6b91bb1dc602f6312c9b6b5ce Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1054739 Reviewed-by: Roland Shoemaker <bracewell@google.com>
diff --git a/reports/GO-2020-0005.toml b/reports/GO-2020-0005.toml
@@ -11,7 +11,7 @@ cve = "CVE-2020-15106"
 
 credit = "Trail of Bits"
 
-symbols = ["WAL.ReadAll"]
+symbols = ["WAL.ReadAll", "decoder.decodeRecord"]
 
 [[versions]]
 fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"
diff --git a/reports/GO-2021-0097.toml b/reports/GO-2021-0097.toml
@@ -0,0 +1,29 @@
+module = "github.com/dhowden/tag"
+
+description = """
+Due to improper bounds checking a number of methods can trigger a panic due to attempted
+out-of-bounds reads. If the package is used to parse user supplied input this may be
+used as a vector for a denial of service attack.
+"""
+
+cve = "CVE-2020-29242"
+
+credit = "@Jayl1n"
+
+symbols = [
+    "readPICFrame",
+    "readAPICFrame",
+    "readTextWithDescrFrame",
+    "readAtomData"
+]
+
+[[versions]]
+fixed = "v0.0.0-20201120070457-d52dcb253c63"
+
+[links]
+commit = "https://github.com/dhowden/tag/commit/d52dcb253c63a153632bfee5f269dd411dcd8e96"
+context = [
+    "https://github.com/dhowden/tag/commit/a92213460e4838490ce3066ef11dc823cdc1740e",
+    "https://github.com/dhowden/tag/commit/4b595ed4fac79f467594aa92f8953f90f817116e",
+    "https://github.com/dhowden/tag/commit/6b18201aa5c5535511802ddfb4e4117686b4866d"
+]
diff --git a/reports/GO-2021-0098.toml b/reports/GO-2021-0098.toml
@@ -0,0 +1,43 @@
+module = "github.com/git-lfs/git-lfs"
+package = "github.com/git-lfs/git-lfs/commands"
+
+description = """
+Due to the standard library behavior of exec.LookPath on Windows a number of methods may
+result in arbitary code execution when cloning or operating on untrusted Git repositories.
+"""
+
+os = ["windows"]
+
+cve = "CVE-2021-21237"
+
+credit = "@Ry0taK"
+
+symbols = ["PipeCommand"]
+
+[[versions]]
+fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
+
+[[additional_packages]]
+module = "github.com/git-lfs/git-lfs"
+package = "github.com/git-lfs/git-lfs/creds"
+symbols = ["AskPassCredentialHelper.getFromProgram", "commandCredentialHelper.Approve"]
+[[additional_packages.versions]]
+fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
+
+[[additional_packages]]
+module = "github.com/git-lfs/git-lfs"
+package = "github.com/git-lfs/git-lfs/lfs"
+symbols = ["pipeExtensions"]
+[[additional_packages.versions]]
+fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
+
+[[additional_packages]]
+module = "github.com/git-lfs/git-lfs"
+package = "github.com/git-lfs/git-lfs/lfshttp"
+symbols = ["sshAuthClient.Resolve"]
+[[additional_packages.versions]]
+fixed = "v1.5.1-0.20210113180018-fc664697ed2c"
+
+[links]
+commit = "https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a"
+context = ["https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5"]
diff --git a/reports/GO-2021-0099.toml b/reports/GO-2021-0099.toml
@@ -0,0 +1,21 @@
+module = "github.com/deislabs/oras"
+package = "github.com/deislabs/oras/pkg/content"
+
+description = """
+Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore
+content store may result in directory traversal during archive extraction, allowing a
+malicious archive to write paths to arbitary paths that the process can write to.
+"""
+
+cve = "CVE-2021-21272"
+
+credit = "Chris Smowton"
+
+symbols = ["extractTarDirectory"]
+
+[[versions]]
+fixed = "v0.9.0"
+
+[links]
+commit = "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"
+context = ["https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"]
diff --git a/triaged-cve-list b/triaged-cve-list
