reports: add GO-2021-0228 for CVE-2020-7664
Fixes golang/vulndb#228
Change-Id: I53bc9fadff80e209c505bae1b567eba5090fd967
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377620
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2021-0228.yaml b/reports/GO-2021-0228.yaml
new file mode 100644
index 0000000..23d6c89
--- /dev/null
+++ b/reports/GO-2021-0228.yaml
@@ -0,0 +1,20 @@
+module: github.com/unknwon/cae
+package: github.com/unknwon/cae/zip
+versions:
+- fixed: v1.0.1
+description: |
+ The ExtractTo function doesn't securely escape file paths in zip archives
+ which include leading or non-leading "..". This allows an attacker to add or
+ replace files system-wide.
+cves:
+- CVE-2020-7664
+credit: Georgios Gkitsas of Snyk Security Team
+symbols:
+- TzArchive.syncFiles
+- TzArchive.ExtractToFunc
+- ZipArchive.Open
+- ZipArchive.ExtractToFunc
+links:
+ commit: https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11
+ context:
+ - https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUNKNWONCAEZIP-570383
