data/reports: add GO-2023-1882.yaml

Aliases: CVE-2023-34450 Fixes #1882 Change-Id: I75b725165c45e89f6ccd90cc1bc4cb96d2ee1e07 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/507903 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Jonathan Amsterdam <jba@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
golang · Jul 6, 2023 · 5ab3843 · 5ab3843
1 parent f4ae623
commit 5ab3843
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 0 deletions.
diff --git a/data/osv/GO-2023-1882.json b/data/osv/GO-2023-1882.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1882",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-34450",
+    "GHSA-mvj3-qrqh-cjvr"
+  ],
+  "summary": "Deadlock in github.com/cometbft/cometbft/consensus",
+  "details": "An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called.\n\nThis function can be called in two ways. The first is via logs, by setting the consensus logging module to \"debug\" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dump_consensus_state.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/cometbft/cometbft",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.37.1"
+            },
+            {
+              "fixed": "0.37.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/cometbft/cometbft/consensus",
+            "symbols": [
+              "PeerState.MarshalJSON"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/pull/524"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/pull/863"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/cometbft/cometbft/pull/865"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1882"
+  }
+}
diff --git a/data/reports/GO-2023-1882.yaml b/data/reports/GO-2023-1882.yaml
@@ -0,0 +1,29 @@
+id: GO-2023-1882
+modules:
+    - module: github.com/cometbft/cometbft
+      versions:
+        - introduced: 0.37.1
+          fixed: 0.37.2
+      vulnerable_at: 0.37.1
+      packages:
+        - package: github.com/cometbft/cometbft/consensus
+          symbols:
+            - PeerState.MarshalJSON
+summary: Deadlock in github.com/cometbft/cometbft/consensus
+description: |-
+    An internal modification to the way PeerState is serialized to JSON introduced
+    a deadlock when the new function MarshalJSON is called.
+
+    This function can be called in two ways. The first is via logs, by setting
+    the consensus logging module to "debug" level (which should not happen in
+    production), and setting the log output format to JSON. The second is via
+    RPC dump_consensus_state.
+cves:
+    - CVE-2023-34450
+ghsas:
+    - GHSA-mvj3-qrqh-cjvr
+references:
+    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr
+    - fix: https://github.com/cometbft/cometbft/pull/524
+    - fix: https://github.com/cometbft/cometbft/pull/863
+    - fix: https://github.com/cometbft/cometbft/pull/865