reports: add GO-2021-0234.yaml for CVE-2021-27918
Fixes golang/vulndb#234
Change-Id: I06b728e82b2edfeb82d5df1ba3a0e972b5074848
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377578
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/reports/GO-2021-0234.yaml b/reports/GO-2021-0234.yaml
new file mode 100644
index 0000000..551ef7d
--- /dev/null
+++ b/reports/GO-2021-0234.yaml
@@ -0,0 +1,22 @@
+module: std
+package: encoding/xml
+versions:
+- fixed: go1.15.9
+- fixed: go1.16.1
+- fixed: go1.17.0
+description: |
+ The Decode, DecodeElement, and Skip methods of an xml.Decoder
+ provided by xml.NewTokenDecoder may enter an infinite loop when
+ operating on a custom xml.TokenReader which returns an EOF in the
+ middle of an open XML element.
+cves:
+- CVE-2021-27918
+credit: Sam Whited
+symbols:
+- Decoder.Token
+links:
+ pr: https://go.dev/cl/300391
+ commit: https://go.googlesource.com/go/+/d0b79e3513a29628f3599dc8860666b6eed75372
+ context:
+ - https://go.dev/issue/44913
+ - https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
