reports: add a handful of CVEs

Results of testing new CVE triaging tooling. Also adds a file which
tracks which CVEs have been triaged. Still need to add all of the
false positives, but would like to fine tune the triage tooling first
to hopefully cut down the number of them.

Change-Id: I7591b10f5abc5e73b6a3291beeaedca0032ad02f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/vulndb/+/1053804
Reviewed-by: Roland Shoemaker <bracewell@google.com>

Author: rolandshoemaker

reports/GO-2020-0005.toml

@@ -14,9 +14,6 @@ credit = "Trail of Bits"
 symbols = ["WAL.ReadAll"]
 
 [[versions]]
-# Do we also need a way to indicate "fixed after this version, but also these specific
-# earlier point releases are also fixed"? In this case >= 3.4.10 is fixed, but so was
-# 3.3.23
 fixed = "v0.5.0-alpha.5.0.20200423152442-f4b650b51dc4"
 
 [links]

reports/GO-2021-0056.toml

@@ -1,4 +1,5 @@
-module = "github.com/russellhaering/goxmldsig"
+module = "github.com/dexidp/dex"
+package = "github.com/dexidp/dex/connector/saml"
 
 description = """
 An XML message can be maliciously crafted such that signature
@@ -9,11 +10,11 @@ cve = "CVE-2020-15216"
 
 credit = "Juho Nurminen (Mattermost)"
 
-symbols = ["ValidationContext.findSignature"]
+symbols = ["provider.HandlePOST"]
 
 [[versions]]
-fixed = "v1.1.0"
+fixed = "v0.0.0-20201214082111-324b1c886b40"
 
 [links]
 commit = "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8"
-context = ["https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"]
+context = ["https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"]

reports/GO-2021-0070.toml

@@ -0,0 +1,26 @@
+module = "github.com/opencontainers/runc"
+package = "github.com/opencontainers/runc/libcontainer/user"
+
+description = """
+GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
+improperly interpred numeric UIDs as usernames. If the method is used without
+verify usernames are formatted as expected, it may allow a user to gain unexpected
+privileges.
+"""
+
+cve = "CVE-2016-3697"
+
+symbols = ["GetExecUser"]
+
+[[versions]]
+fixed = "v0.1.0"
+
+[links]
+commit = "https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091"
+pr = "https://github.com/opencontainers/runc/pull/708"
+context = [
+    "https://github.com/docker/docker/issues/21436",
+    "http://rhn.redhat.com/errata/RHSA-2016-1034.html",
+    "http://rhn.redhat.com/errata/RHSA-2016-2634.html",
+    "https://security.gentoo.org/glsa/201612-28"
+]

reports/GO-2021-0071.toml

@@ -0,0 +1,22 @@
+module = "github.com/lxc/lxd"
+package = "github.com/lxc/lxd/shared"
+
+description = """
+A race between chown and chmod operations during a container filesystem shift
+may allow a user who can modify the filesystem to chmod an arbitary path of
+their choice, rather than the expected path.
+"""
+
+cve = "CVE-2015-1340"
+
+credit = "Seth Arnold"
+
+symbols = ["IdmapSet.doUidshiftIntoContainer"]
+
+[[versions]]
+fixed = "v0.0.0-20151004155856-19c6961cc101"
+
+[links]
+commit = "https://github.com/lxc/lxd/commit/19c6961cc1012c8a529f20807328a9357f5034f4"
+pr = "https://github.com/lxc/lxd/pull/1189"
+context = ["https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1502270"]

reports/GO-2021-0072.toml

@@ -0,0 +1,30 @@
+module = "github.com/docker/distribution"
+package = "github.com/docker/distribution/registry/handlers"
+
+description = """
+Various storage methods do not impose limits on how much content is accepted
+from user requests, allowing a malicious user to force the caller to allocate
+an arbitary amount of memory.
+"""
+
+cve = "CVE-2017-11468"
+
+symbols = ["copyFullPayload"]
+
+[[versions]]
+fixed = "v2.7.0-rc.0+incompatible"
+
+[[additional_packages]]
+module = "github.com/docker/distribution"
+package = "github.com/docker/distribution/registry/storage"
+symbols = ["blobStore.Get"]
+[[additional_packages.versions]]
+fixed = "v2.7.0-rc.0+incompatible"
+
+[links]
+commit = "https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"
+pr = "https://github.com/distribution/distribution/pull/2340"
+context = [
+    "https://access.redhat.com/errata/RHSA-2017:2603",
+    "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"
+]

reports/GO-2021-0073.toml

@@ -0,0 +1,24 @@
+module = "github.com/git-lfs/git-lfs"
+package = "github.com/git-lfs/git-lfs/lfsapi"
+
+description = """
+Arbitary command execution can be triggered by improperly
+sanitized SSH URLs in LFS configuration files. This can be
+triggered by cloning a malicious repoistory.
+"""
+
+cve = "CVE-2017-17831"
+
+symbols = ["sshGetLFSExeAndArgs"]
+
+[[versions]]
+fixed = "v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible"
+
+[links]
+commit = "https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"
+pr = "https://github.com/git-lfs/git-lfs/pull/2241"
+context = [
+    "http://blog.recurity-labs.com/2017-08-10/scm-vulns",
+    "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html",
+    "http://www.securityfocus.com/bid/102926"
+]

reports/GO-2021-0075.toml

@@ -0,0 +1,19 @@
+module = "github.com/ethereum/go-ethereum"
+package = "github.com/ethereum/go-ethereum/les"
+
+description = """
+Due to improper argument validation in RPC messages, a maliciously crafted
+message can cause a panic, leading to denial of service.
+"""
+
+cve = "CVE-2018-12018"
+
+symbols = ["protocolManager.handleMsg"]
+
+[[versions]]
+fixed = "v1.8.11"
+
+[links]
+commit = "https://github.com/ethereum/go-ethereum/commit/a5237a27eaf81946a3edb4fafe13ed6359d119e4"
+pr = "https://github.com/ethereum/go-ethereum/pull/16891"
+context = ["https://peckshield.com/2018/06/27/EPoD/"]

reports/GO-2021-0076.toml

@@ -0,0 +1,18 @@
+module = "github.com/evanphx/json-patch"
+
+description = """
+A malicious JSON patch can cause a panic due to an out-of-bounds
+write attempt. This can be used as a denial of service vector if
+exposed to arbitary user input.
+"""
+
+cve = "CVE-2018-14632"
+
+symbols = ["partialArray.add"]
+
+[[versions]]
+fixed = "v0.5.2"
+
+[links]
+commit = "https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03"
+pr = "https://github.com/evanphx/json-patch/pull/57"

reports/GO-2021-0077.toml

@@ -0,0 +1,20 @@
+module = "go.etcd.io/etcd"
+package = "go.etcd.io/etcd/auth"
+
+description = """
+A user can use a valid client certificate that contains a CommonName that matches a
+valid RBAC username to authenticate themselves as that user, despite lacking the
+required credentials. This may allow authentication bypass, but requires a certificate
+that is issued by a CA trusted by the server.
+"""
+
+cve = "CVE-2018-16886"
+
+symbols = ["authStore.AuthInfoFromTLS"]
+
+[[versions]]
+fixed = "v0.5.0-alpha.5.0.20190108173120-83c051b701d3"
+
+[links]
+commit = "https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2"
+pr = "https://github.com/etcd-io/etcd/pull/10366"

reports/GO-2021-0078.toml

@@ -0,0 +1,26 @@
+module = "golang.org/x/net"
+package = "golang.org/x/net/html"
+
+description = """
+The HTML parser does not properly handle "in frameset" insertion mode, and can be made
+to panic when operating on malformed HTML that contains <template> tags. If operating
+on user input, this may be a vector for a denial of service attack.
+"""
+
+cve = "CVE-2018-17075"
+
+credit = "Kunpei Sakai"
+
+symbols = ["inBodyIM", "inFramesetIM"]
+
+[[versions]]
+fixed = "v0.0.0-20180816102801-aaf60122140d"
+
+[links]
+commit = "https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50"
+pr = "https://go-review.googlesource.com/123776"
+context = [
+    "https://github.com/golang/go/issues/27016",
+    "https://bugs.chromium.org/p/chromium/issues/detail?id=829668",
+    "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906"
+]