data/reports: add GO-2022-1037.yaml for CVE-2022-2879
Updates golang/vulndb#1037
Change-Id: I0ad7c30d22f5c12fea3b1234aa2957f0258916b7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/439395
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/osv/GO-2022-1037.json b/data/osv/GO-2022-1037.json
new file mode 100644
index 0000000..3c28de0
--- /dev/null
+++ b/data/osv/GO-2022-1037.json
@@ -0,0 +1,67 @@
+{
+ "id": "GO-2022-1037",
+ "published": "0001-01-01T00:00:00Z",
+ "modified": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2022-2879"
+ ],
+ "details": "Reader.Read does not set a limit on the maximum size of file headers.\nA maliciously crafted archive could cause Read to allocate unbounded\namounts of memory, potentially causing resource exhaustion or panics.\nAfter fix, Reader.Read limits the maximum size of header blocks to 1 MiB.\n",
+ "affected": [
+ {
+ "package": {
+ "name": "stdlib",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.18.7"
+ },
+ {
+ "introduced": "1.19.0"
+ },
+ {
+ "fixed": "1.19.2"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2022-1037"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "archive/tar",
+ "symbols": [
+ "Reader.Next",
+ "Reader.next",
+ "Writer.WriteHeader",
+ "Writer.writePAXHeader",
+ "parsePAX"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "REPORT",
+ "url": "https://go.dev/issue/54853"
+ },
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/439355"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/data/reports/GO-2022-1037.yaml b/data/reports/GO-2022-1037.yaml
new file mode 100644
index 0000000..b570634
--- /dev/null
+++ b/data/reports/GO-2022-1037.yaml
@@ -0,0 +1,28 @@
+modules:
+ - module: std
+ versions:
+ - fixed: 1.18.7
+ - introduced: 1.19.0
+ fixed: 1.19.2
+ vulnerable_at: 1.19.1
+ packages:
+ - package: archive/tar
+ symbols:
+ - Reader.next
+ - parsePAX
+ - Writer.writePAXHeader
+ derived_symbols:
+ - Reader.Next
+ - Writer.WriteHeader
+description: |
+ Reader.Read does not set a limit on the maximum size of file headers.
+ A maliciously crafted archive could cause Read to allocate unbounded
+ amounts of memory, potentially causing resource exhaustion or panics.
+ After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
+credit: Adam Korczynski (ADA Logics) and OSS-Fuzz
+references:
+ - report: https://go.dev/issue/54853
+ - fix: https://go.dev/cl/439355
+ - web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
+cve_metadata:
+ id: CVE-2022-2879
