x/vulndb: add GO-2022-0435 for CVE-2022-28327 Fixes golang/vulndb#435 Change-Id: I2d8489d0dfc0332358b5457270276b9d7cd55e21 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/407594 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatiana@golang.org>

commit: a32302002dcdcf2b35b15cd5869b584e88adc744 [log] [tgz]
author: Tatiana Bradley <tatiana@golang.org> Fri May 20 16:10:52 2022 -0400
committer: Gopher Robot <gobot@golang.org> Fri May 20 21:17:46 2022 +0000
tree: 27ff5f5aeece457b1382d6e19eedd61763eea573
parent: c89193b5aa84bd27a9980ff18d66a5d194727654 [diff]
diff --git a/reports/GO-2022-0435.yaml b/reports/GO-2022-0435.yaml
new file mode 100644
index 0000000..82cd629
--- /dev/null
+++ b/reports/GO-2022-0435.yaml

@@ -0,0 +1,23 @@
+packages:
+  - module: std
+    package: crypto/elliptic
+    symbols:
+      - P256.ScalarMult
+      - P256.ScalarBaseMult
+    versions:
+      - fixed: 1.17.9
+      - introduced: 1.18
+        fixed: 1.18.1
+description: |
+    A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
+    or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
+    crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
+cves:
+  - CVE-2022-28327
+credit: Project Wycheproof
+links:
+    pr: https://go.dev/cl/397135
+    commit: https://go.googlesource.com/go/+/37065847d87df92b5eb246c88ba2085efcf0b331
+    context:
+      - https://go.dev/issue/52075
+      - https://groups.google.com/g/golang-announce/c/oecdBNLOml8
commit	a32302002dcdcf2b35b15cd5869b584e88adc744	[log] [tgz]
author	Tatiana Bradley <tatiana@golang.org>	Fri May 20 16:10:52 2022 -0400
committer	Gopher Robot <gobot@golang.org>	Fri May 20 21:17:46 2022 +0000
tree	27ff5f5aeece457b1382d6e19eedd61763eea573
parent	c89193b5aa84bd27a9980ff18d66a5d194727654 [diff]