x/vulndb: add GO-2021-0356.yaml for CVE-2022-27191
Fixes golang/vulndb#356
Change-Id: Ib45a755d564133f142e1635c8e937dfa39eae764
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/399534
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2021-0356.yaml b/reports/GO-2021-0356.yaml
new file mode 100644
index 0000000..0fd6860
--- /dev/null
+++ b/reports/GO-2021-0356.yaml
@@ -0,0 +1,27 @@
+module: golang.org/x/crypto
+package: golang.org/x/crypto/ssh
+versions:
+ - fixed: v0.0.0-20220314234659-1baeb1ce4c0b
+description: |
+ Attackers can cause a crash in SSH servers when the server has been
+ configured by passing a Signer to ServerConfig.AddHostKey such that
+ 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and
+ 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its
+ PublicKey method.
+
+ Servers that only use Signer implementations provided by the ssh package are
+ unaffected.
+cves:
+ - CVE-2022-27191
+ghsas:
+ - GHSA-8c26-wmh5-6g9v
+symbols:
+ - ServerConfig.AddHostKey
+derived_symbols:
+ - ServerConfig.AddHostKey
+links:
+ pr: https://go.dev/cl/392355
+ commit: https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
+ context:
+ - https://groups.google.com/g/golang-announce
+ - https://groups.google.com/g/golang-announce/c/-cp44ypCT5s