sprints work.

2026-01-20 00:45:38 +02:00
parent b34bde89fa
commit 4903395618
275 changed files with 52785 additions and 79 deletions
--- a/datasets/golden-pairs/security-pairs-index.yaml
+++ b/datasets/golden-pairs/security-pairs-index.yaml
@@ -0,0 +1,217 @@
+# Golden Security Pairs Index
+# 16 curated pairs per VALH-009 requirements
+# Format: OpenSSL (8), zlib (4), libxml2 (4)
+
+pairs:
+  # OpenSSL: 2 CVE micro-bumps × 4 distros = 8 pairs
+  - id: openssl-001
+    cve: CVE-2024-0727
+    library: openssl
+    version_before: "3.0.12"
+    version_after: "3.0.13"
+    distribution: ubuntu:jammy
+    architecture: amd64
+    affected_functions:
+      - PKCS12_parse
+      - PKCS12_verify_mac
+    patch_type: security_fix
+
+  - id: openssl-002
+    cve: CVE-2024-0727
+    library: openssl
+    version_before: "3.0.12"
+    version_after: "3.0.13"
+    distribution: debian:bookworm
+    architecture: amd64
+    affected_functions:
+      - PKCS12_parse
+      - PKCS12_verify_mac
+    patch_type: security_fix
+
+  - id: openssl-003
+    cve: CVE-2024-0727
+    library: openssl
+    version_before: "3.0.12"
+    version_after: "3.0.13"
+    distribution: fedora:39
+    architecture: amd64
+    affected_functions:
+      - PKCS12_parse
+      - PKCS12_verify_mac
+    patch_type: security_fix
+
+  - id: openssl-004
+    cve: CVE-2024-0727
+    library: openssl
+    version_before: "3.0.12"
+    version_after: "3.0.13"
+    distribution: alpine:3.19
+    architecture: amd64
+    affected_functions:
+      - PKCS12_parse
+      - PKCS12_verify_mac
+    patch_type: security_fix
+
+  - id: openssl-005
+    cve: CVE-2023-5678
+    library: openssl
+    version_before: "3.0.11"
+    version_after: "3.0.12"
+    distribution: ubuntu:jammy
+    architecture: amd64
+    affected_functions:
+      - DH_generate_key
+      - DH_check_ex
+    patch_type: security_fix
+
+  - id: openssl-006
+    cve: CVE-2023-5678
+    library: openssl
+    version_before: "3.0.11"
+    version_after: "3.0.12"
+    distribution: debian:bookworm
+    architecture: amd64
+    affected_functions:
+      - DH_generate_key
+      - DH_check_ex
+    patch_type: security_fix
+
+  - id: openssl-007
+    cve: CVE-2023-5678
+    library: openssl
+    version_before: "3.0.11"
+    version_after: "3.0.12"
+    distribution: fedora:39
+    architecture: amd64
+    affected_functions:
+      - DH_generate_key
+      - DH_check_ex
+    patch_type: security_fix
+
+  - id: openssl-008
+    cve: CVE-2023-5678
+    library: openssl
+    version_before: "3.0.11"
+    version_after: "3.0.12"
+    distribution: alpine:3.19
+    architecture: amd64
+    affected_functions:
+      - DH_generate_key
+      - DH_check_ex
+    patch_type: security_fix
+
+  # zlib: 1 minor security patch × 4 distros = 4 pairs
+  - id: zlib-001
+    cve: CVE-2023-45853
+    library: zlib
+    version_before: "1.2.13"
+    version_after: "1.3"
+    distribution: ubuntu:jammy
+    architecture: amd64
+    affected_functions:
+      - deflate
+      - deflateEnd
+      - inflateSync
+    patch_type: security_fix
+
+  - id: zlib-002
+    cve: CVE-2023-45853
+    library: zlib
+    version_before: "1.2.13"
+    version_after: "1.3"
+    distribution: debian:bookworm
+    architecture: amd64
+    affected_functions:
+      - deflate
+      - deflateEnd
+      - inflateSync
+    patch_type: security_fix
+
+  - id: zlib-003
+    cve: CVE-2023-45853
+    library: zlib
+    version_before: "1.2.13"
+    version_after: "1.3"
+    distribution: fedora:39
+    architecture: amd64
+    affected_functions:
+      - deflate
+      - deflateEnd
+      - inflateSync
+    patch_type: security_fix
+
+  - id: zlib-004
+    cve: CVE-2023-45853
+    library: zlib
+    version_before: "1.2.13"
+    version_after: "1.3"
+    distribution: alpine:3.19
+    architecture: amd64
+    affected_functions:
+      - deflate
+      - deflateEnd
+      - inflateSync
+    patch_type: security_fix
+
+  # libxml2: 1 parser bugfix × 4 distros = 4 pairs
+  - id: libxml2-001
+    cve: CVE-2024-25062
+    library: libxml2
+    version_before: "2.12.3"
+    version_after: "2.12.4"
+    distribution: ubuntu:jammy
+    architecture: amd64
+    affected_functions:
+      - xmlParseChunk
+      - xmlParseDocument
+      - xmlCtxtReadMemory
+    patch_type: parser_fix
+
+  - id: libxml2-002
+    cve: CVE-2024-25062
+    library: libxml2
+    version_before: "2.12.3"
+    version_after: "2.12.4"
+    distribution: debian:bookworm
+    architecture: amd64
+    affected_functions:
+      - xmlParseChunk
+      - xmlParseDocument
+      - xmlCtxtReadMemory
+    patch_type: parser_fix
+
+  - id: libxml2-003
+    cve: CVE-2024-25062
+    library: libxml2
+    version_before: "2.12.3"
+    version_after: "2.12.4"
+    distribution: fedora:39
+    architecture: amd64
+    affected_functions:
+      - xmlParseChunk
+      - xmlParseDocument
+      - xmlCtxtReadMemory
+    patch_type: parser_fix
+
+  - id: libxml2-004
+    cve: CVE-2024-25062
+    library: libxml2
+    version_before: "2.12.3"
+    version_after: "2.12.4"
+    distribution: alpine:3.19
+    architecture: amd64
+    affected_functions:
+      - xmlParseChunk
+      - xmlParseDocument
+      - xmlCtxtReadMemory
+    patch_type: parser_fix
+
+metadata:
+  version: "1.0"
+  created: "2026-01-19"
+  description: "Starter corpus with 16 security pairs for validation harness (VALH-009)"
+  coverage:
+    openssl: 8
+    zlib: 4
+    libxml2: 4
+    total: 16