commit 4238e19dc6ad74dadd5c190a0cdcd9f60de85204
author Tatiana Bradley <tatiana@golang.org> Wed May 25 12:10:37 2022 -0400
committer Gopher Robot <gobot@golang.org> Wed May 25 18:01:46 2022 +0000
tree 223a6550fab6580da2d2785ae90bc58df98e9dbc
parent 524ee9e90bbb5d4627b1069f9a08a7d4713b33d2

x/vulndb: add GO-2022-0220 for CVE-2019-9634

Fixes golang/vulndb#220

Change-Id: I02e679c7c7b57f44f05cda320587ad1b088b5f08
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/408554
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>

reports/GO-2022-0220.yaml

diff --git a/reports/GO-2022-0220.yaml b/reports/GO-2022-0220.yaml
new file mode 100644
index 0000000..0b31214
--- /dev/null
+++ b/reports/GO-2022-0220.yaml
@@ -0,0 +1,33 @@
+packages:
+  - module: std
+    package: runtime
+    symbols:
+      - loadOptionalSyscalls
+      - osinit
+      - syscall_loadsystemlibrary
+    versions:
+      - fixed: 1.11.7
+      - introduced: 1.12.0
+        fixed: 1.12.2
+  - module: std
+    package: syscall
+    symbols:
+      - LoadDLL
+    versions:
+      - fixed: 1.11.7
+      - introduced: 1.12.0
+        fixed: 1.12.2
+description: |
+    Go on Windows misused certain LoadLibrary functionality, leading to DLL
+    injection.
+cves:
+  - CVE-2019-9634
+credit: Samuel Cochran, Jason Donenfeld
+os:
+  - windows
+links:
+    pr: https://go.dev/cl/165798
+    commit: https://go.googlesource.com/go/+/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c
+    context:
+      - https://go.dev/issue/28978
+      - https://groups.google.com/g/golang-announce/c/z9eTD34GEIs/m/Z_XmhTrVAwAJ