commit 207948b206c63d62cbfac9d6f8a3f02153c01d13
author Damien Neil <dneil@google.com> Fri Jun 24 16:15:12 2022 -0700
committer Damien Neil <dneil@google.com> Fri Jul 01 20:07:25 2022 +0000
tree e0fca2af2447c2257eab70e7fb2f29d4c2056b8f
parent b5f6da87e089be2ab81dcd76e007d767d04448e2

x/vulndb: add reports/GO-2022-0461.yaml for CVE-2022-29189

Fixes golang/vulndb#0461

Change-Id: Ia5fa6f788bd24e5fe720048622f18a69c1be546d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414095
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>

reports/GO-2022-0461.yaml

diff --git a/reports/GO-2022-0461.yaml b/reports/GO-2022-0461.yaml
new file mode 100644
index 0000000..901367b
--- /dev/null
+++ b/reports/GO-2022-0461.yaml
@@ -0,0 +1,29 @@
+packages:
+  - module: github.com/pion/dtls/v2
+    symbols:
+      - fragmentBuffer.push
+    derived_symbols:
+      - Client
+      - ClientWithContext
+      - Dial
+      - DialWithContext
+      - Resume
+      - Server
+      - ServerWithContext
+      - handshakeFSM.Run
+      - listener.Accept
+    versions:
+      - fixed: 2.1.4
+    vulnerable_at: 2.1.3
+description: |
+    Attacker can cause unbounded memory consumption.
+
+    The Pion DTLS client and server buffer handshake data with no
+    upper limit, permitting an attacker to cause unbounded memory
+    consumption by sending an unterminated handshake.
+cves:
+  - CVE-2022-29189
+ghsas:
+  - GHSA-cx94-mrg9-rq4j
+links:
+    commit: https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de