commit 801edeeefb5373e6a8a4fb9779736d43c5822c07
author Damien Neil <dneil@google.com> Mon Jan 10 16:49:13 2022 -0800
committer Damien Neil <dneil@google.com> Thu Feb 17 17:34:14 2022 +0000
tree 7732776f19607ce75e487e10ddda6cad531c6b42
parent 64391f2ad46ba944de529dfae62d4f0cd700c3a9

reports: add GO-2021-0235.yaml for CVE-2021-3114

Fixes golang/vulndb#235

Change-Id: Iea37c88586bf6c6c256079b9614fa099f02f9fb0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377577
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

reports/GO-2021-0235.yaml

diff --git a/reports/GO-2021-0235.yaml b/reports/GO-2021-0235.yaml
new file mode 100644
index 0000000..d45232b
--- /dev/null
+++ b/reports/GO-2021-0235.yaml
@@ -0,0 +1,23 @@
+module: std
+package: crypto/elliptic
+versions:
+- fixed: go1.14.14
+- fixed: go1.15.7
+- fixed: go1.16.0
+description: |
+  The P224() Curve implementation can in rare circumstances generate
+  incorrect outputs, including returning invalid points from
+  ScalarMult.
+cves:
+- CVE-2021-3114
+credit: |
+  the elliptic-curve-differential-fuzzer project running on OSS-Fuzz
+  and reported by Philippe Antoine (Catena cyber)
+symbols:
+- p224Contract
+links:
+  pr: https://go.dev/cl/284779
+  commit: https://go.googlesource.com/go/+/d95ca9138026cbe40e0857d76a81a16d03230871
+  context:
+  - https://go.dev/issue/43786
+  - https://groups.google.com/g/golang-announce/c/mperVMGa98w