Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/matrix-org/dendrite: CVE-2022-39200 #989

Closed
GoVulnBot opened this issue Sep 12, 2022 · 4 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. NeedsTriage

Comments

@GoVulnBot
Copy link

CVE-2022-39200 references github.com/matrix-org/dendrite, which may be a Go module.

Description:
Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the /get_missing_events path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/matrix-org/dendrite
    packages:
      - package: dendrite
description: |
    Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.
cves:
  - CVE-2022-39200
references:
  - web: https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c
  - fix: https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Sep 16, 2022

https://github.com/matrix-org/dendrite is a binary not imported by anyone. The fix is an internal package used by a non-internal package that is also not imported by anyone (that is, it used to be imported by one module that is now gone). The fixed symbol leads to nowhere. This is effectively not importable.

@zpavlinovic zpavlinovic added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Sep 16, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/431537 mentions this issue: data/excluded: add GO-2022-0989.yaml for CVE-2022-39200

@zpavlinovic zpavlinovic added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. labels Sep 19, 2022
gopherbot pushed a commit that referenced this issue Sep 19, 2022
Fixes #989

Change-Id: Ica8b7bea5a290b86e5b759aa5fb0f5fb66617a2d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/431537
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607230 mentions this issue: data/reports: unexclude 20 reports (28)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-0985.yaml
  - data/reports/GO-2022-0986.yaml
  - data/reports/GO-2022-0987.yaml
  - data/reports/GO-2022-0989.yaml
  - data/reports/GO-2022-0995.yaml
  - data/reports/GO-2022-1000.yaml
  - data/reports/GO-2022-1006.yaml
  - data/reports/GO-2022-1014.yaml
  - data/reports/GO-2022-1015.yaml
  - data/reports/GO-2022-1019.yaml
  - data/reports/GO-2022-1021.yaml
  - data/reports/GO-2022-1023.yaml
  - data/reports/GO-2022-1029.yaml
  - data/reports/GO-2022-1032.yaml
  - data/reports/GO-2022-1033.yaml
  - data/reports/GO-2022-1060.yaml
  - data/reports/GO-2022-1062.yaml
  - data/reports/GO-2022-1065.yaml
  - data/reports/GO-2022-1066.yaml
  - data/reports/GO-2022-1067.yaml

Updates #985
Updates #986
Updates #987
Updates #989
Updates #995
Updates #1000
Updates #1006
Updates #1014
Updates #1015
Updates #1019
Updates #1021
Updates #1023
Updates #1029
Updates #1032
Updates #1033
Updates #1060
Updates #1062
Updates #1065
Updates #1066
Updates #1067

Change-Id: I27b6f79e1898a13040a758a71348464c5e7c72a9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607230
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. NeedsTriage
Projects
None yet
Development

No branches or pull requests

4 participants