commit 02b2aa2e1c4439a017eebf10939c24f2488636cc
author Julie Qiu <julie@golang.org> Mon Jan 10 22:53:50 2022 -0500
committer Julie Qiu <julie@golang.org> Thu Jan 13 03:45:03 2022 +0000
tree d469cbae364e17025219f6e250955ae9e08dd73e
parent 77aeccf9b5c8cd4e4f6087741483a842e5719c02

reports: add GO-2021-0263 for CVE-2021-41771

Fixes golang/vulndb#263

Change-Id: I7e9f13f27dd30fc57870f3785887bbe9614556e6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377616
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>

reports/GO-2021-0263.yaml

diff --git a/reports/GO-2021-0263.yaml b/reports/GO-2021-0263.yaml
new file mode 100644
index 0000000..77d0a51
--- /dev/null
+++ b/reports/GO-2021-0263.yaml
@@ -0,0 +1,21 @@
+module: std
+package: debug/macho
+versions:
+- fixed: go1.17.3
+- fixed: go1.16.10
+description: |
+  Calling File.ImportedSymbols on a loaded file which contains an invalid
+  dynamic symbol table command can cause a panic, in particular if the encoded
+  number of undefined symbols is larger than the number of symbols in the symbol
+  table.
+cves:
+- CVE-2021-41771
+credit: Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech)
+symbols:
+- NewFile
+links:
+  pr: https://go.dev/cl/367075
+  commit: https://go.googlesource.com/go/+/61536ec03063b4951163bd09609c86d82631fa27
+  context:
+  - https://groups.google.com/g/golang-announce/c/0fM21h43arc
+  - https://go.dev/issue/48990