x/vulndb: add GO-2022-0273 for CVE-2021-39293
Fixes golang/vulndb#273
Change-Id: I876a26a93a95397bd9b4ab0a3b76fbaf4416e848
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/406579
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2022-0273.yaml b/reports/GO-2022-0273.yaml
new file mode 100644
index 0000000..dc0bb4b
--- /dev/null
+++ b/reports/GO-2022-0273.yaml
@@ -0,0 +1,25 @@
+packages:
+ - module: std
+ package: archive/zip
+ symbols:
+ - NewReader
+ - OpenReader
+ versions:
+ - fixed: 1.16.8
+ - introduced: 1.17
+ fixed: 1.17.1
+description: |
+ The NewReader and OpenReader functions in archive/zip can cause a panic or
+ an unrecoverable fatal error when reading an archive that claims to contain
+ a large number of files, regardless of its actual size. This is
+ caused by an incomplete fix for CVE-2021-33196.
+cves:
+ - CVE-2021-39293
+credit: OSS-Fuzz Project and Emmanuel Odeke
+links:
+ pr: https://go.dev/cl/343434/
+ commit: https://go.googlesource.com/go/+/bacbc33439b124ffd7392c91a5f5d96eca8c0c0b
+ context:
+ - https://go.dev/issues/47801
+ - https://groups.google.com/g/golang-announce/c/dx9d7IOseHw
+ - https://security.netapp.com/advisory/ntap-20220217-0009/