Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/google/fscrypt: CVE-2022-25327 #340

Closed
GoVulnBot opened this issue Feb 25, 2022 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/google/fscrypt: CVE-2022-25327 #340

GoVulnBot opened this issue Feb 25, 2022 · 4 comments
Assignees
@neild
Labels
cve-year-2022 excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In CVE-2022-25327, the reference URL github.com/google/fscrypt (and possibly others) refers to something in Go.

module: github.com/google/fscrypt
package: fscrypt
description: |
    The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above
cves:
  - CVE-2022-25327
credit: Matthias Gerstner of SUSE
links:
    pr: https://github.com/google/fscrypt/pull/346

See doc/triage.md for instructions on how to triage this report.
@neild neild assigned neild and unassigned rolandshoemaker Jul 7, 2022
@neild
Copy link
Contributor

neild commented Jul 7, 2022

See #339: Importable package, but effectively internal.

@neild neild closed this as completed Jul 7, 2022
@neild neild mentioned this issue Jul 7, 2022
Closed
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/514875 mentions this issue: data/excluded: update GO-2022-0340.yaml to add GHSA

gopherbot pushed a commit that referenced this issue Aug 1, 2023
@tatianab
data/excluded: update GO-2022-0340.yaml to add GHSA
91090a5 
Updates #340
Fixes #376

Change-Id: I4c99bd1b3ecfabacfbc77faebce847da8c69de74
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/514875
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607216 mentions this issue: data/reports: unexclude 20 reports (14)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (14)
b61874e 
  - data/reports/GO-2022-0314.yaml
  - data/reports/GO-2022-0315.yaml
  - data/reports/GO-2022-0325.yaml
  - data/reports/GO-2022-0328.yaml
  - data/reports/GO-2022-0329.yaml
  - data/reports/GO-2022-0339.yaml
  - data/reports/GO-2022-0340.yaml
  - data/reports/GO-2022-0342.yaml
  - data/reports/GO-2022-0344.yaml
  - data/reports/GO-2022-0348.yaml
  - data/reports/GO-2022-0350.yaml
  - data/reports/GO-2022-0351.yaml
  - data/reports/GO-2022-0353.yaml
  - data/reports/GO-2022-0354.yaml
  - data/reports/GO-2022-0357.yaml
  - data/reports/GO-2022-0358.yaml
  - data/reports/GO-2022-0359.yaml
  - data/reports/GO-2022-0360.yaml
  - data/reports/GO-2022-0363.yaml
  - data/reports/GO-2022-0365.yaml

Updates #314
Updates #315
Updates #325
Updates #328
Updates #329
Updates #339
Updates #340
Updates #342
Updates #344
Updates #348
Updates #350
Updates #351
Updates #353
Updates #354
Updates #357
Updates #358
Updates #359
Updates #360
Updates #363
Updates #365

Change-Id: I88cff49c8c254ce8df68a3fb336657e69cb8ed58
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607216
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@neild neild

Labels
cve-year-2022 excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @rolandshoemaker @julieqiu @gopherbot @GoVulnBot