commit c89193b5aa84bd27a9980ff18d66a5d194727654
author Tatiana Bradley <tatiana@golang.org> Fri May 20 16:27:02 2022 -0400
committer Gopher Robot <gobot@golang.org> Fri May 20 21:17:25 2022 +0000
tree 6007912d3c910bdacfc45d947b0d154a64e75fe8
parent dc790ea16bf783a5a9c35452cff774bec7077931

x/vulndb: add GO-2022-0433 for CVE-2022-24675

Fixes golang/vulndb#433

Change-Id: I90da37d5e3063bc0b9cdb3e9bebbada07b376a2b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/407596
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
Auto-Submit: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>

reports/GO-2022-0433.yaml

diff --git a/reports/GO-2022-0433.yaml b/reports/GO-2022-0433.yaml
new file mode 100644
index 0000000..5cf561a
--- /dev/null
+++ b/reports/GO-2022-0433.yaml
@@ -0,0 +1,20 @@
+packages:
+  - module: std
+    package: encoding/pem
+    symbols:
+      - Decode
+    versions:
+      - fixed: 1.17.9
+      - introduced: 1.18.0
+        fixed: 1.18.1
+description: |
+    encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
+cves:
+  - CVE-2022-24675
+credit: Juho Nurminen of Mattermost
+links:
+    pr: https://go.dev/cl/399820
+    commit: https://go.googlesource.com/go/+/45c3387d777caf28f4b992ad9a6216e3085bb8fe
+    context:
+      - https://go.dev/issue/51853
+      - https://groups.google.com/g/golang-announce/c/oecdBNLOml8