data/reports: review GO-2024-3104

- data/reports/GO-2024-3104.yaml Fixes #3104 Change-Id: If5833ed05bfdf2e9a26f62b20979ba9c4d730be2 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635699 Reviewed-by: Zvonimir Pavlinovic <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
golang · Dec 12, 2024 · ec8e9cf · ec8e9cf
1 parent dee8c78
commit ec8e9cf
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 10 deletions.
diff --git a/data/osv/GO-2024-3104.json b/data/osv/GO-2024-3104.json
@@ -28,18 +28,29 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/ollama/ollama/cmd",
+            "symbols": [
+              "tempZipFiles"
+            ]
+          },
+          {
+            "path": "github.com/ollama/ollama/server",
+            "symbols": [
+              "parseFromZipFile"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/advisories/GHSA-846m-99qv-67mg"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45436"
-    },
     {
       "type": "FIX",
       "url": "https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527"
@@ -55,6 +66,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2024-3104",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2024-3104.yaml b/data/reports/GO-2024-3104.yaml
@@ -4,18 +4,28 @@ modules:
       versions:
         - fixed: 0.1.47
       vulnerable_at: 0.1.46
-summary: Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama
+      packages:
+        - package: github.com/ollama/ollama/cmd
+          symbols:
+            - tempZipFiles
+        - package: github.com/ollama/ollama/server
+          symbols:
+            - parseFromZipFile
+summary: |-
+    Ollama can extract members of a ZIP archive outside of the parent directory in
+    github.com/ollama/ollama
 cves:
     - CVE-2024-45436
 ghsas:
     - GHSA-846m-99qv-67mg
 references:
     - advisory: https://github.com/advisories/GHSA-846m-99qv-67mg
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45436
     - fix: https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527
     - fix: https://github.com/ollama/ollama/pull/5314
     - web: https://github.com/ollama/ollama/compare/v0.1.46...v0.1.47
+notes:
+    - I was not able to generate derived symbols due to a cgo error.
 source:
     id: GHSA-846m-99qv-67mg
-    created: 2024-08-30T11:49:51.257019-04:00
-review_status: NEEDS_REVIEW
+    created: 2024-12-12T13:00:47.375499-05:00
+review_status: REVIEWED