| modules: |
| - module: cmd |
| versions: |
| - fixed: 1.16.9 |
| - introduced: 1.17.0 |
| fixed: 1.17.2 |
| packages: |
| - package: cmd/link |
| goos: |
| - js |
| goarch: |
| - wasm |
| symbols: |
| - Link.address |
| skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]' |
| - package: misc/wasm |
| goos: |
| - js |
| goarch: |
| - wasm |
| symbols: |
| - run |
| skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]' |
| description: | |
| When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, |
| passing very large arguments can cause portions of the module to be |
| overwritten with data from the arguments due to a buffer overflow error. |
| |
| If using wasm_exec.js to execute WASM modules, users will need to replace |
| their copy (as described in |
| https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any |
| modules. |
| published: 2022-05-24T20:14:28Z |
| cves: |
| - CVE-2021-38297 |
| credit: Ben Lubar |
| references: |
| - fix: https://go.dev/cl/354571 |
| - fix: https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 |
| - report: https://go.dev/issue/48797 |
| - web: https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A |
