x/vulndb: add GO-2022-0289 for CVE-2021-44717
Fixes golang/vulndb#289
Change-Id: I78597e2b3838bf1a7344cfe12d707b4fd2a81d2a
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/406576
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
diff --git a/reports/GO-2022-0289.yaml b/reports/GO-2022-0289.yaml
new file mode 100644
index 0000000..93cabfa
--- /dev/null
+++ b/reports/GO-2022-0289.yaml
@@ -0,0 +1,32 @@
+packages:
+ - module: std
+ package: syscall
+ symbols:
+ - ForkExec
+ versions:
+ - fixed: 1.16.2
+ - introduced: 1.17
+ fixed: 1.17.5
+description: |
+ When a Go program running on a Unix system is out of file descriptors and
+ calls syscall.ForkExec (including indirectly by using the os/exec package),
+ syscall.ForkExec can close file descriptor 0 as it fails. If this happens
+ (or can be provoked) repeatedly, it can result in misdirected I/O such as
+ writing network traffic intended for one connection to a different
+ connection, or content intended for one file to a different one.
+
+ For users who cannot immediately update to the new release, the bug can be
+ mitigated by raising the per-process file descriptor limit.
+cves:
+ - CVE-2021-44717
+credit: Tomasz Maczukin and Kamil TrzciĆski of GitLab
+links:
+ pr: https://go.dev/cl/370576/
+ commit: https://go.googlesource.com/go/+/a76511f3a40ea69ee4f5cd86e735e1c8a84f0aa2
+ context:
+ - https://go.dev/issue/50057
+ - https://groups.google.com/g/golang-announce/c/hcmEScgc00k
+ - https://go.dev/cl/370577/
+ - https://go.dev/cl/370795/
+ - https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html
+ - https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html