x/vulndb: add reports/GO-2022-0209.yaml for CVE-2019-11840
Fixes golang/vulndb#0209
Change-Id: Ibc234c315f8f553edf9eb687fc468bba7bb3984c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/415276
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2022-0209.yaml b/reports/GO-2022-0209.yaml
new file mode 100644
index 0000000..c328357
--- /dev/null
+++ b/reports/GO-2022-0209.yaml
@@ -0,0 +1,35 @@
+packages:
+ - module: golang.org/x/crypto
+ package: golang.org/x/crypto/salsa20/salsa
+ symbols:
+ - XORKeyStream
+ versions:
+ - fixed: 0.0.0-20190320223903-b7391e95e576
+ vulnerable_at: 0.0.0-20190313024323-a1f597ede03a
+description: |
+ XORKeyStream generates incorrect and insecure output for very
+ large inputs.
+
+ If more than 256 GiB of keystream is generated, or if the counter
+ otherwise grows greater than 32 bits, the amd64 implementation will
+ first generate incorrect output, and then cycle back to previously
+ generated keystream. Repeated keystream bytes can lead to loss of
+ confidentiality in encryption applications, or to predictability
+ in CSPRNG applications.
+
+ The issue might affect uses of golang.org/x/crypto/nacl with extremely
+ large messages.
+
+ Architectures other than amd64 and uses that generate less than 256 GiB
+ of keystream for a single salsa20.XORKeyStream invocation are unaffected.
+arch:
+ - amd64
+cves:
+ - CVE-2019-11840
+credit: Michael McLoughlin
+links:
+ pr: https://go.dev/cl/168406
+ commit: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
+ context:
+ - https://go.dev/issue/30965
+ - https://groups.google.com/g/golang-announce/c/tjyNcJxb2vQ/m/n0NRBziSCAAJ
