x/vulndb: add reports/GO-2021-0142.yaml for CVE-2020-16845
Fixes golang/vulndb#0142
Change-Id: Ic6c0eade810734489ed52a55383d3cfa31239d78
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/415154
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2021-0142.yaml b/reports/GO-2021-0142.yaml
new file mode 100644
index 0000000..2fd64af
--- /dev/null
+++ b/reports/GO-2021-0142.yaml
@@ -0,0 +1,32 @@
+packages:
+ - module: std
+ package: encoding/binary
+ symbols:
+ - ReadUvarint
+ - ReadVarint
+ versions:
+ - fixed: 1.13.15
+ - introduced: 1.14.0
+ fixed: 1.14.7
+ vulnerable_at: 1.14.6
+description: |
+ ReadUvarint and ReadVarint can read an unlimited number of bytes from
+ invalid inputs.
+
+ Certain invalid inputs to ReadUvarint or ReadVarint can cause these
+ functions to read an unlimited number of bytes from the ByteReader
+ parameter before returning an error. This can lead to processing more
+ input than expected when the caller is reading directly from a
+ network and depends on ReadUvarint or ReadVarint only consuming a
+ small, bounded number of bytes, even from invalid inputs.
+cves:
+ - CVE-2020-16845
+ghsas:
+ - GHSA-q6gq-997w-f55g
+credit: Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon
+links:
+ pr: https://go.dev/cl/247120
+ commit: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258
+ context:
+ - https://go.dev/issue/40618
+ - https://groups.google.com/g/golang-announce/c/NyPIaucMgXo