commit 98a14b8e173867108bb49dad270e134d2fc9a3b4
author Tatiana Bradley <tatiana@golang.org> Tue Jun 07 15:44:26 2022 -0400
committer Tatiana Bradley <tatiana@golang.org> Thu Jun 09 01:43:37 2022 +0000
tree 6a7acbd2a6acbab483afeaabb2be569c6fc62859
parent 7ef3c82b820d526cae8fe444af6c72bbd771ea55

x/vulndb: add GO-2022-0477 for CVE-2022-30634

Fixes golang/vulndb#477

Change-Id: I17b8873febe7611efe3ad51e44fc8cec7612af63
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/410914
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>

reports/GO-2022-0477.yaml

diff --git a/reports/GO-2022-0477.yaml b/reports/GO-2022-0477.yaml
new file mode 100644
index 0000000..b2868b5
--- /dev/null
+++ b/reports/GO-2022-0477.yaml
@@ -0,0 +1,28 @@
+packages:
+  - module: std
+    package: crypto/rand
+    symbols:
+      - Read
+    versions:
+      - fixed: 1.17.11
+      - introduced: 1.18.0
+        fixed: 1.18.3
+description: |
+    On Windows, rand.Read will hang indefinitely if passed a buffer larger than
+    1 << 32 - 1 bytes.
+cve_metadata:
+  id: CVE-2022-30634
+  cwe: "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"
+  description: |
+      Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on
+      Windows allows attacker to cause an indefinite hang by passing a buffer
+      larger than 1 << 32 - 1 bytes.
+credit: Davis Goodin and Quim Muntal of Microsoft
+os:
+  - windows
+links:
+    pr: https://go.dev/cl/402257
+    commit: https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863
+    context:
+      - https://go.dev/issue/52561
+      - https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ