x/vulndb: potential Go vuln in github.com/ginuerzh/gost: GHSA-qjrq-hm79-49ww

[GoVulnBot]

In GitHub Security Advisory GHSA-qjrq-hm79-49ww, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/ginuerzh/gost		<= 2.11.5

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/ginuerzh/gost
    versions:
      - {}
    packages:
      - package: github.com/ginuerzh/gost
summary: ginuerzh/gost vulnerable to Timing Attack
description: "[Timing attacks](https://en.wikipedia.org/wiki/Timing_attack) occur
    when an attacker can guess a secret by observing a difference in processing time
    for valid and invalid inputs. Sensitive secrets such as passwords, token and API
    keys should be compared only using a constant-time comparision function.\nMore
    information on this attack type can be found in [this blog post](https://verboselogging.com/2012/08/20/a-timing-attack-in-action).
    \n\n# Root Cause Analysis\n\nIn this case, the vulnerability occurs due to the
    following code.\n\nhttps://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46-L46\n\nHere,
    a untrusted input, sourced from a HTTP header, is compared directly with a secret.
    \nSince, this comparision is not secure, an attacker can mount a side-channel
    timing attack to guess the password.\n\n# Remediation\n\nThis can be easily fixed
    using a constant time comparing function such as `crypto/subtle`'s `ConstantTimeCompare`.
    \nAn example fix can be found in https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
    Alternatively, one can apply the patch below\n\n```\nFrom d18cff85e1a565f688f717fd8f2cacea62ff9dbf
    Mon Sep 17 00:00:00 2001\nFrom: Porcupiney Hairs <porcupiney.hairs@protonmail.com>\nDate:
    Sun, 7 May 2023 01:03:33 +0530\nSubject: [PATCH] Fix : Timing attack\n\n---\n
    auth.go | 4 +++-\n 1 file changed, 3 insertions(+), 1 deletion(-)\n\ndiff --git
    a/auth.go b/auth.go\nindex 1be96e9..be13f23 100644\n--- a/auth.go\n+++ b/auth.go\n@@
    -2,6 +2,7 @@ package gost\n \n import (\n \t\"bufio\"\n+\t\"crypto/subtle\"\n
    \t\"io\"\n \t\"strings\"\n \t\"sync\"\n@@ -43,7 +44,8 @@ func (au *LocalAuthenticator)
    Authenticate(user, password string) bool {\n \t}\n \n \tv, ok := au.kvs[user]\n-\treturn
    ok && (v == \"\" || password == v)\n+\tpassOk := subtle.ConstantTimeCompare([]byte(password),
    []byte(v)) == 0\n+\treturn ok && (v == \"\" || passOk)\n }\n \n // Add adds a
    key-value pair to the Authenticator.\n-- \n2.25.1\n\n```"
ghsas:
  - GHSA-qjrq-hm79-49ww
references:
  - advisory: https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww
  - web: https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
  - advisory: https://github.com/advisories/GHSA-qjrq-hm79-49ww

[gopherbot]

Change https://go.dev/cl/503837 mentions this issue: data/excluded: batch add 21 excluded reports

[gopherbot]

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports