x/vulndb: add reports/GO-2022-0444.yaml for CVE-2022-29173
Fixes golang/vulndb#0444
Change-Id: I81c64ac7ef48b4c18f27f2883a687082c4793e00
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414575
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2022-0444.yaml b/reports/GO-2022-0444.yaml
new file mode 100644
index 0000000..a7e0958
--- /dev/null
+++ b/reports/GO-2022-0444.yaml
@@ -0,0 +1,35 @@
+packages:
+ - module: github.com/theupdateframework/go-tuf
+ package: github.com/theupdateframework/go-tuf/client
+ symbols:
+ - Client.Update
+ - Client.UpdateRoots
+ - Client.downloadMetaFromSnapshot
+ - Client.downloadMetaFromTimestamp
+ - Client.decodeRoot
+ - Client.decodeTargets
+ - Client.decodeTimestamp
+ derived_symbols:
+ - Client.Download
+ - Client.Init
+ - Client.Target
+ versions:
+ - fixed: 0.3.0
+ vulnerable_at: 0.2.0
+ - module: github.com/theupdateframework/go-tuf
+ package: github.com/theupdateframework/go-tuf/util
+ symbols:
+ - TimestampFileMetaEqual
+ versions:
+ - fixed: 0.3.0
+ vulnerable_at: 0.2.0
+description: |
+ The TUF client is vulnerable to rollback attacks, in which an
+ attacker causes a client to install software older than the software
+ the client previously knew to be available.
+cves:
+ - CVE-2022-29173
+ghsas:
+ - GHSA-66x3-6cw3-v5gj
+links:
+ commit: https://github.com/theupdateframework/go-tuf/commit/ed6788e710fc3093a7ecc2d078bf734c0f200d8d
