Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/text: UTF-16 decoder behaves incorrectly on single-byte input #39491

Closed
abacabadabacaba opened this issue Jun 9, 2020 · 1 comment
Closed
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@abacabadabacaba
Copy link

When using UTF-16 decoder with BOM to decode a single-byte string, the decoder incorrectly returns ErrShortSrc. This code can be used to reproduce this issue:

package main

import (
	"fmt"
	"golang.org/x/text/encoding/unicode"
)

func main() {
	res, err := unicode.UTF16(unicode.BigEndian, unicode.UseBOM).NewDecoder().String(" ")
	fmt.Println(res, err)
}
@gopherbot gopherbot added this to the Unreleased milestone Jun 9, 2020
@katiehockman katiehockman added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 11, 2020
@katiehockman
Copy link
Contributor

mark-kubacki added a commit to mark-kubacki/http.upload that referenced this issue Jun 16, 2020
vdemeester added a commit to vdemeester/tektoncd-pipeline that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
vdemeester added a commit to vdemeester/tektoncd-triggers that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
vdemeester added a commit to vdemeester/tektoncd-cli that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
vdemeester added a commit to vdemeester/tektoncd-operator that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
vdemeester added a commit to vdemeester/tektoncd-operator that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
tekton-robot pushed a commit to tektoncd/triggers that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
tekton-robot pushed a commit to tektoncd/pipeline that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
tekton-robot pushed a commit to tektoncd/cli that referenced this issue Jul 10, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
tekton-robot pushed a commit to tektoncd/operator that referenced this issue Jul 13, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <[email protected]>
periklis added a commit to periklis/loki that referenced this issue Jul 20, 2020
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491. This "force" bump the dependency to
v0.3.3 that contains the fix.
sanchezl added a commit to sanchezl/kubernetes-kube-storage-version-migrator that referenced this issue Jul 30, 2020
sanchezl added a commit to sanchezl/cluster-kube-storage-version-migrator-operator that referenced this issue Jul 31, 2020
tklauser added a commit to tklauser/afero that referenced this issue Aug 6, 2020
moshe010 added a commit to moshe010/rdma-cni that referenced this issue Mar 2, 2021
afero v1.3.4 bump golang.org/x/text to v0.3.3
golang.org/x/text v0.3.0 has a known vulnerability [1], [2], [3] which
is resolved in v0.3.3

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14040
[2] https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
[3] golang/go#39491

Signed-off-by: Moshe Levi <[email protected]>
moshe010 added a commit to moshe010/rdma-cni that referenced this issue Mar 2, 2021
afero v1.3.4 bump golang.org/x/text to v0.3.3
golang.org/x/text v0.3.0 has a known vulnerability [1], [2], [3] which
is resolved in v0.3.3

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14040
[2] https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
[3] golang/go#39491

Signed-off-by: Moshe Levi <[email protected]>
sttts pushed a commit to sttts/kube-storage-version-migrator that referenced this issue Apr 19, 2021
sttts pushed a commit to sttts/kube-storage-version-migrator that referenced this issue Apr 19, 2021
sttts pushed a commit to sttts/kube-storage-version-migrator that referenced this issue Apr 19, 2021
@golang golang locked and limited conversation to collaborators Jun 16, 2021
AlexanderYastrebov pushed a commit to AlexanderYastrebov/go that referenced this issue Oct 3, 2021
…den transform.String)

If a single byte is passed to a UTF-16 decoder
with atEOF set, it should not ask for more src
with ErrShortSrc but return an error. Also harden
transform.String not to enter an infinite loop if a
Transformer does return ErrShortSrc with atEOF true.

Fixes golang#39491
Fixes CVE-2020-14040

Change-Id: If8d2a9bca4eb9b4270c98a4967d356082043e17e
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/768667
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/text/+/238238
Run-TryBot: Katie Hockman <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Development

No branches or pull requests

4 participants