x/vulndb: add GO-2022-0477 for CVE-2022-30634
Fixes golang/vulndb#477
Change-Id: I17b8873febe7611efe3ad51e44fc8cec7612af63
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/410914
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
diff --git a/reports/GO-2022-0477.yaml b/reports/GO-2022-0477.yaml
new file mode 100644
index 0000000..b2868b5
--- /dev/null
+++ b/reports/GO-2022-0477.yaml
@@ -0,0 +1,28 @@
+packages:
+ - module: std
+ package: crypto/rand
+ symbols:
+ - Read
+ versions:
+ - fixed: 1.17.11
+ - introduced: 1.18.0
+ fixed: 1.18.3
+description: |
+ On Windows, rand.Read will hang indefinitely if passed a buffer larger than
+ 1 << 32 - 1 bytes.
+cve_metadata:
+ id: CVE-2022-30634
+ cwe: "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"
+ description: |
+ Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on
+ Windows allows attacker to cause an indefinite hang by passing a buffer
+ larger than 1 << 32 - 1 bytes.
+credit: Davis Goodin and Quim Muntal of Microsoft
+os:
+ - windows
+links:
+ pr: https://go.dev/cl/402257
+ commit: https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863
+ context:
+ - https://go.dev/issue/52561
+ - https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ