commit 7d9aacc14278918f331b9c87d615e1c734a63d47
author Aria Thaker <ariathaker@gmail.com> Wed Mar 02 13:58:06 2022 -0800
committer Julie Qiu <julie@golang.org> Mon May 23 22:15:21 2022 +0000
tree bb9ed474623f28299ff872d7226b8b45157ff5d8
parent ea28b6b50db89c4ec81e74fa59ee2b817688f3c9

reports: add GO-2021-0319 for CVE-2022-23806

Fixes golang/vulndb#319

Change-Id: I2ab6324070f619dce2e24cbe74faefcde9269b7b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/389414
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>

reports/GO-2021-0319.yaml

diff --git a/reports/GO-2021-0319.yaml b/reports/GO-2021-0319.yaml
new file mode 100644
index 0000000..26e774a
--- /dev/null
+++ b/reports/GO-2021-0319.yaml
@@ -0,0 +1,25 @@
+packages:
+  - module: std
+    package: crypto/elliptic
+    symbols:
+      - CurveParams.IsOnCurve
+      - p384PointFromAffine
+      - p521PointFromAffine
+    versions:
+      - fixed: 1.16.14
+      - introduced: 1.17.0
+        fixed: 1.17.7
+description: |
+  Some big.Int values that are not valid field elements (negative or overflowing)
+  might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
+  may cause a panic or an invalid curve operation. Note that Unmarshal will never
+  return such values.
+cves:
+  - CVE-2022-23806
+credit: Guido Vranken
+links:
+  pr: https://go.dev/cl/382455
+  commit: https://go.googlesource.com/go/+/7f9494c277a471f6f47f4af3036285c0b1419816
+  context:
+    - https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
+    - https://go.dev/issue/50974