data/reports: add 2 first party reports

thatnealpatel · gopherbot · commit 3d8b4cf0b6c2 · 2025-11-19T12:11:57.000-08:00
- data/reports/GO-2025-4134.yaml - data/reports/GO-2025-4135.yaml Fixes #4134 Fixes #4135 Change-Id: I4c9bc8ba649f0d686821a4cdfee0ebbdfa614c0d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/721982 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Neal Patel <nealpatel@google.com>
diff --git a/data/cve/v5/GO-2025-4134.json b/data/cve/v5/GO-2025-4134.json
@@ -0,0 +1,68 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2025-58181"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "title": "CVE-2025-58181 in golang.org/x/crypto/ssh",
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "golang.org/x/crypto",
+          "product": "golang.org/x/crypto/ssh",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "golang.org/x/crypto/ssh",
+          "programRoutines": [
+            {
+              "name": "parseGSSAPIPayload"
+            },
+            {
+              "name": "NewServerConn"
+            }
+          ],
+          "defaultStatus": "affected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE-1284"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
+        },
+        {
+          "url": "https://go.dev/cl/721961"
+        },
+        {
+          "url": "https://go.dev/issue/76363"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2025-4134"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Jakub Ciolek"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/cve/v5/GO-2025-4135.json b/data/cve/v5/GO-2025-4135.json
@@ -0,0 +1,71 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2025-47914"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "title": "CVE-2025-47914 in golang.org/x/crypto/ssh/agent",
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "golang.org/x/crypto",
+          "product": "golang.org/x/crypto/ssh/agent",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "golang.org/x/crypto/ssh/agent",
+          "programRoutines": [
+            {
+              "name": "parseConstraints"
+            },
+            {
+              "name": "ForwardToAgent"
+            },
+            {
+              "name": "ServeAgent"
+            }
+          ],
+          "defaultStatus": "affected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE-237"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
+        },
+        {
+          "url": "https://go.dev/cl/721960"
+        },
+        {
+          "url": "https://go.dev/issue/76364"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2025-4135"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Jakub Ciolek"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/osv/GO-2025-4134.json b/data/osv/GO-2025-4134.json
@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4134",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-58181"
+  ],
+  "summary": "CVE-2025-58181 in golang.org/x/crypto/ssh",
+  "details": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
+  "affected": [
+    {
+      "package": {
+        "name": "golang.org/x/crypto",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "golang.org/x/crypto/ssh",
+            "symbols": [
+              "NewServerConn",
+              "parseGSSAPIPayload"
+            ]
+          }
+        ],
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.45.0"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
+    },
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/721961"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/76363"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Jakub Ciolek"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4134",
+    "review_status": "REVIEWED"
+  }
+}
diff --git a/data/osv/GO-2025-4135.json b/data/osv/GO-2025-4135.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4135",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-47914"
+  ],
+  "summary": "CVE-2025-47914 in golang.org/x/crypto/ssh/agent",
+  "details": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
+  "affected": [
+    {
+      "package": {
+        "name": "golang.org/x/crypto",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "golang.org/x/crypto/ssh/agent",
+            "symbols": [
+              "ForwardToAgent",
+              "ServeAgent",
+              "parseConstraints"
+            ]
+          }
+        ],
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.45.0"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
+    },
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/721960"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/76364"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Jakub Ciolek"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4135",
+    "review_status": "REVIEWED"
+  }
+}
diff --git a/data/reports/GO-2025-4134.yaml b/data/reports/GO-2025-4134.yaml
@@ -0,0 +1,30 @@
+id: GO-2025-4134
+modules:
+    - module: golang.org/x/crypto
+      non_go_versions:
+        - fixed: 0.45.0
+      vulnerable_at: 0.44.0
+      packages:
+        - package: golang.org/x/crypto/ssh
+          symbols:
+            - parseGSSAPIPayload
+          derived_symbols:
+            - NewServerConn
+summary: CVE-2025-58181 in golang.org/x/crypto/ssh
+description: |-
+    SSH servers parsing GSSAPI authentication requests do not validate the number of
+    mechanisms specified in the request, allowing an attacker to cause unbounded
+    memory consumption.
+credits:
+    - Jakub Ciolek
+references:
+    - advisory: https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
+    - fix: https://go.dev/cl/721961
+    - report: https://go.dev/issue/76363
+cve_metadata:
+    id: CVE-2025-58181
+    cwe: CWE-1284
+source:
+    id: go-security-team
+    created: 2025-11-19T13:45:59.697504-05:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-4135.yaml b/data/reports/GO-2025-4135.yaml
@@ -0,0 +1,31 @@
+id: GO-2025-4135
+modules:
+    - module: golang.org/x/crypto
+      non_go_versions:
+        - fixed: 0.45.0
+      vulnerable_at: 0.44.0
+      packages:
+        - package: golang.org/x/crypto/ssh/agent
+          symbols:
+            - parseConstraints
+          derived_symbols:
+            - ForwardToAgent
+            - ServeAgent
+summary: CVE-2025-47914 in golang.org/x/crypto/ssh/agent
+description: |-
+    SSH Agent servers do not validate the size of messages when processing new
+    identity requests, which may cause the program to panic if the message is
+    malformed due to an out of bounds read.
+credits:
+    - Jakub Ciolek
+references:
+    - advisory: https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
+    - fix: https://go.dev/cl/721960
+    - report: https://go.dev/issue/76364
+cve_metadata:
+    id: CVE-2025-47914
+    cwe: CWE-237
+source:
+    id: go-security-team
+    created: 2025-11-19T13:46:02.007781-05:00
+review_status: REVIEWED
