commit 063e85916a8391ddf7046a9b21239f7d551b558c
author Damien Neil <dneil@google.com> Wed Jun 29 15:15:48 2022 -0700
committer Damien Neil <dneil@google.com> Fri Jul 01 20:15:19 2022 +0000
tree cf0331cc4551b506c06931c5ac164c91184a4897
parent b91c20631feafa92437a9b7fbf15b517090edac6

x/vulndb: add reports/GO-2022-0197.yaml for CVE-2018-17847, CVE-2018-17848

Fixes golang/vulndb#0197

Change-Id: Id6a0be57fb566ea92d70d46d9014accb8ed65329
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/415275
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

reports/GO-2022-0197.yaml

diff --git a/reports/GO-2022-0197.yaml b/reports/GO-2022-0197.yaml
new file mode 100644
index 0000000..7c54e01
--- /dev/null
+++ b/reports/GO-2022-0197.yaml
@@ -0,0 +1,25 @@
+packages:
+  - module: golang.org/x/net
+    package: golang.org/x/net/html
+    symbols:
+      - nodeStack.contains
+    derived_symbols:
+      - Parse
+      - ParseFragment
+    versions:
+      - fixed: 0.0.0-20190125002852-4b62a64f59f7
+    vulnerable_at: 0.0.0-20190119204137-ed066c81e75e
+description: |
+    The Parse function can panic on some invalid inputs.
+
+    For example, the Parse function panics on the input
+    "<svg><template><desc><t><svg></template>".
+cves:
+  - CVE-2018-17847
+  - CVE-2018-17848
+credit: '@tr3ee'
+links:
+    pr: https://go.dev/cl/159397
+    commit: https://go.googlesource.com/net/+/4b62a64f59f73840b9ab79204c94fee61cd1ba2c
+    context:
+      - https://go.dev/issue/27846