x/vulndb: add GO-2022-0171 for CVE-2017-1000097
Fixes golang/vulndb#171
Change-Id: I17ae7d7185d101937704fd022301ed523aa07085
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/408135
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2022-0171.yaml b/reports/GO-2022-0171.yaml
new file mode 100644
index 0000000..6b5192e
--- /dev/null
+++ b/reports/GO-2022-0171.yaml
@@ -0,0 +1,26 @@
+packages:
+ - module: std
+ package: crypto/x509
+ symbols:
+ - FetchPEMRoots
+ - execSecurityRoots
+ versions:
+ - fixed: 1.6.4
+ - introduced: 1.7.0
+ fixed: 1.7.4
+description: |
+ On Darwin, user's trust preferences for root certificates were not honored.
+ If the user had a root certificate loaded in their Keychain that was
+ explicitly not trusted, a Go program would still verify a connection using
+ that root certificate.
+cves:
+ - CVE-2017-1000097
+credit: Xy Ziemba
+os:
+ - darwin
+links:
+ pr: https://go.dev/cl/33721
+ commit: https://go.googlesource.com/go/+/7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
+ context:
+ - https://go.dev/issue/18141
+ - https://groups.google.com/g/golang-dev/c/4NdLzS8sls8/m/uIz8QlnIBQAJ