commit 6c81741ce7c3fca11bdde0f62eb5d773fede56ab
author ariathaker <ariathaker@gmail.com> Tue Mar 15 13:55:48 2022 -0500
committer Julie Qiu <julie@golang.org> Mon May 23 22:15:47 2022 +0000
tree a4065a916cd2c0b5a807de21709a0e2450c327dd
parent b93ae64bc2e9ea009dfec3a82f1f9ee0cc2ec1a5

reports: add GO-2021-0347 for CVE-2022-24921

Fixes golang/vulndb#347

Change-Id: I8d778c17c2ac55c78d2f7211f79918f777aba4c4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/393116
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>

reports/GO-2021-0347.yaml

diff --git a/reports/GO-2021-0347.yaml b/reports/GO-2021-0347.yaml
new file mode 100644
index 0000000..c268d60
--- /dev/null
+++ b/reports/GO-2021-0347.yaml
@@ -0,0 +1,20 @@
+packages:
+  - module: std
+    package: regexp
+    versions:
+      - fixed: 1.16.15
+      - introduced: 1.17.0
+        fixed: 1.17.8
+    symbols:
+      - regexp.Compile
+description: |
+  On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.
+cves:
+  - CVE-2022-24921
+credit: Juho Nurminen
+links:
+  pr: https://go.dev/cl/384616
+  commit: https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
+  context:
+    - https://go.dev/issue/51112
+    - https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk