reports: add GO-2021-0225 for CVE-2020-16845
Fixes golang/vulndb#225
Change-Id: I36d11c4c635c30ba8916b9b59a3c0e92ea012e52
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377619
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2021-0225.yaml b/reports/GO-2021-0225.yaml
new file mode 100644
index 0000000..6d14706
--- /dev/null
+++ b/reports/GO-2021-0225.yaml
@@ -0,0 +1,28 @@
+module: std
+package: encoding/binary
+versions:
+- fixed: go1.13.15
+- fixed: go1.14.7
+description: |
+ Certain invalid inputs to ReadUvarint or ReadVarint could cause those
+ functions to read an unlimited number of bytes from the ByteReader argument
+ before returning an error. This could lead to processing more input than
+ expected when the caller is reading directly from a network and depends on
+ ReadUvarint and ReadVarint only consuming a small, bounded number of bytes,
+ even from invalid inputs.
+
+ With the update, ReadUvarint and ReadVarint now always return after consuming
+ a bounded number of bytes (specifically, MaxVarintLen64, which is 10). The
+ result being returned has not changed; the functions merely detect and return
+ some errors without reading as much input.
+cves:
+- CVE-2020-16845
+credit: Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon
+symbols:
+- ReadUvarint
+links:
+ pr: https://go.dev/cl/247120
+ commit: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258
+ context:
+ - https://go.dev/issue/40618
+ - https://groups.google.com/g/golang-announce/c/NyPIaucMgXo
