Skip to content

x/vuln: Cannot handle multiple "fixed" events on vulns.json #55035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mrkschan opened this issue Sep 13, 2022 · 5 comments
Closed

x/vuln: Cannot handle multiple "fixed" events on vulns.json #55035

mrkschan opened this issue Sep 13, 2022 · 5 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
Unreleased

Comments

@mrkschan
Copy link

mrkschan commented Sep 13, 2022
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.18.6 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mrkschan/.cache/go-build"
GOENV="/home/mrkschan/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/mrkschan/.gvm/pkgsets/go1.18.6/global/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/mrkschan/.gvm/pkgsets/go1.18.6/global"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/mrkschan/.gvm/gos/go1.18.6"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/mrkschan/.gvm/gos/go1.18.6/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.6"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build123561259=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Running govulncheck, getting a false alarm for GO-2022-0969, which has more than one "fixed" events on vulns.json.

govulncheck ./...   
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...

Snippets of /home/mrkschan/.gvm/pkgsets/go1.18.6/global/pkg/mod/cache/download/vulndb/vuln.go.dev/stdlib/vulns.json

      "affected" : [
         {
            "database_specific" : {
               "url" : "https://pkg.go.dev/vuln/GO-2022-0969"
            },
            "ecosystem_specific" : {
               "imports" : [
                  {
                     "path" : "net/http",
                     "symbols" : [
                        "ListenAndServe",
                        "ListenAndServeTLS",
                        "Serve",
                        "ServeTLS",
                        "Server.ListenAndServe",
                        "Server.ListenAndServeTLS",
                        "Server.Serve",
                        "Server.ServeTLS",
                        "http2Server.ServeConn",
                        "http2serverConn.goAway"
                     ]
                  }
               ]
            },
            "package" : {
               "ecosystem" : "Go",
               "name" : "stdlib"
            },
            "ranges" : [
               {
                  "events" : [
                     {
                        "introduced" : "0"
                     },
                     {
                        "fixed" : "1.18.6"
                     },
                     {
                        "introduced" : "1.19.0"
                     },
                     {
                        "fixed" : "1.19.1"
                     }
                  ],
                  "type" : "SEMVER"
               }
            ]
         },

What did you expect to see?

No vulnerability found on golang 1.18.6

What did you see instead?

Found 1 known vulnerability.

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      cmd/local/main.go:139:31: local/cmd/local.main$1 calls net/http.Server.ListenAndServe

  Found in: net/http@go1.18.6
  Fixed in: net/http@go1.19.1
  More info: https://pkg.go.dev/vuln/GO-2022-0969
@mrkschan mrkschan added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 13, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 13, 2022
@timothy-king
Copy link
Contributor

cc @zpavlinovic

@zpavlinovic zpavlinovic self-assigned this Sep 13, 2022
@julieqiu julieqiu removed the x/vuln label Sep 13, 2022
@szuecs
Copy link

szuecs commented Sep 13, 2022
edited
Loading

Not really sure if it's a similar case, but also https://pkg.go.dev/vuln/GO-2022-0988 shows nothing for 1.18, but the announcement https://groups.google.com/g/golang-announce/c/x49AQzIVX-s reads like both (https://pkg.go.dev/vuln/GO-2022-0969 and https://pkg.go.dev/vuln/GO-2022-0988 ) were fixed in 1.18.6.

  Found in: net/url@go1.18.6
  Fixed in: net/url@go1.19.1
  More info: https://pkg.go.dev/vuln/GO-2022-0988
make: *** [Makefile:153: govulncheck] Error 3

I created a separate issue: #55049

@zpavlinovic
Copy link
Contributor

Thanks for reporting this! We are looking into the issue and should have a fix soon.

@zpavlinovic zpavlinovic mentioned this issue Sep 13, 2022
Closed
@pjuarezd pjuarezd mentioned this issue Sep 13, 2022
Merged
@julieqiu julieqiu mentioned this issue Sep 14, 2022
Closed
@zpavlinovic zpavlinovic mentioned this issue Sep 14, 2022
Closed
@ainar-g
Copy link
Contributor

ainar-g commented Sep 14, 2022

v0.0.0-20220914155410-4c9734e34c0b seems to have fixed it for me.

@zpavlinovic
Copy link
Contributor

v0.0.0-20220914155410-4c9734e34c0b

Thanks for confirming. I will close it for now. We can reopen if the issue appears again.

@golang golang locked and limited conversation to collaborators Sep 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
7 participants
@szuecs @mrkschan @timothy-king @zpavlinovic @ainar-g @julieqiu @gopherbot