Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/text: UTF-16 decoder behaves incorrectly on single-byte input #39491

Closed
abacabadabacaba opened this issue Jun 9, 2020 · 1 comment
Closed

x/text: UTF-16 decoder behaves incorrectly on single-byte input #39491

abacabadabacaba opened this issue Jun 9, 2020 · 1 comment
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@abacabadabacaba
Copy link

When using UTF-16 decoder with BOM to decode a single-byte string, the decoder incorrectly returns ErrShortSrc. This code can be used to reproduce this issue:

package main

import (
	"fmt"
	"golang.org/x/text/encoding/unicode"
)

func main() {
	res, err := unicode.UTF16(unicode.BigEndian, unicode.UseBOM).NewDecoder().String(" ")
	fmt.Println(res, err)
}
@gopherbot gopherbot added this to the Unreleased milestone Jun 9, 2020
@katiehockman katiehockman added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 11, 2020
@katiehockman
Copy link
Contributor

Fixed by https://go-review.googlesource.com/c/text/+/238238

mark-kubacki added a commit to mark-kubacki/http.upload that referenced this issue Jun 16, 2020
@mark-kubacki
insist on bugfixed golang.org/x/text v0.3.3
38c5e43 
For details see golang/go#39491
@llamerada-jp llamerada-jp mentioned this issue Jun 17, 2020
Closed
4 tasks
vdemeester added a commit to vdemeester/tektoncd-pipeline that referenced this issue Jul 10, 2020
@vdemeester
dep: update golang.org/x/text to v0.3.3
c2253ef 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
vdemeester added a commit to vdemeester/tektoncd-triggers that referenced this issue Jul 10, 2020
@vdemeester
dep: update golang.org/x/text to v0.3.3
19965d6 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
vdemeester added a commit to vdemeester/tektoncd-cli that referenced this issue Jul 10, 2020
@vdemeester
dep: update golang.org/x/text to v0.3.3
8f172ec 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
This was referenced Jul 10, 2020
Merged
Merged
Merged
vdemeester added a commit to vdemeester/tektoncd-operator that referenced this issue Jul 10, 2020
@vdemeester
dep: update golang.org/x/text to v0.3.3
dea0733 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
vdemeester added a commit to vdemeester/tektoncd-operator that referenced this issue Jul 10, 2020
@vdemeester
dep: update golang.org/x/text to v0.3.3
af0b6a2 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
@vdemeester vdemeester mentioned this issue Jul 10, 2020
Merged
3 tasks
tekton-robot pushed a commit to tektoncd/triggers that referenced this issue Jul 10, 2020
@vdemeester @tekton-robot
dep: update golang.org/x/text to v0.3.3
232cc69 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
tekton-robot pushed a commit to tektoncd/pipeline that referenced this issue Jul 10, 2020
@vdemeester @tekton-robot
dep: update golang.org/x/text to v0.3.3
568efa4 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
tekton-robot pushed a commit to tektoncd/cli that referenced this issue Jul 10, 2020
@vdemeester @tekton-robot
dep: update golang.org/x/text to v0.3.3
c226d0b 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
tekton-robot pushed a commit to tektoncd/operator that referenced this issue Jul 13, 2020
@vdemeester @tekton-robot
dep: update golang.org/x/text to v0.3.3
737681c 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491.
This "force" bump the dependency to v0.3.3 that contains the fix.

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
periklis added a commit to periklis/loki that referenced this issue Jul 20, 2020
@periklis
Update golang.org/x/text to v0.3.3
360452e 
An issue in golang.org/x/text can lead to infinit loop and cause
crashes, see golang/go#39491. This "force" bump the dependency to
v0.3.3 that contains the fix.
sanchezl added a commit to sanchezl/kubernetes-kube-storage-version-migrator that referenced this issue Jul 30, 2020
@sanchezl
UPSTREAM: <carry>: Bug 1855638: update golang.org/x/text
6183224 
See golang/go#39491
@sanchezl sanchezl mentioned this issue Jul 30, 2020
Merged
sanchezl added a commit to sanchezl/cluster-kube-storage-version-migrator-operator that referenced this issue Jul 31, 2020
@sanchezl
Bug 1855638: update golang.org/x/text
8b33b6a 
  See golang/go#39491
@sanchezl sanchezl mentioned this issue Jul 31, 2020
Merged
tklauser added a commit to tklauser/afero that referenced this issue Aug 6, 2020
@tklauser
go.mod: bump golang.org/x/text to v0.3.3
7686d4f 
golang.org/x/text v0.3.0 has a known vulnerability [1], [2], [3] which
is resolved in v0.3.3

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14040
[2] https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
[3] golang/go#39491
@tklauser tklauser mentioned this issue Aug 6, 2020
Merged
This was referenced Aug 10, 2020
Closed
Closed
@jayaraj-selvaraj jayaraj-selvaraj mentioned this issue Nov 10, 2020
Closed
@bhamail bhamail mentioned this issue Jan 13, 2021
Merged
@JakobGray JakobGray mentioned this issue Mar 1, 2021
Closed
moshe010 added a commit to moshe010/rdma-cni that referenced this issue Mar 2, 2021
@moshe010
update afero v1.3.4
12812a9 
afero v1.3.4 bump golang.org/x/text to v0.3.3
golang.org/x/text v0.3.0 has a known vulnerability [1], [2], [3] which
is resolved in v0.3.3

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14040
[2] https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
[3] golang/go#39491

Signed-off-by: Moshe Levi <moshele@nvidia.com>
@moshe010 moshe010 mentioned this issue Mar 2, 2021
Merged
moshe010 added a commit to moshe010/rdma-cni that referenced this issue Mar 2, 2021
@moshe010
update afero v1.4.1
20f84f0 
afero v1.3.4 bump golang.org/x/text to v0.3.3
golang.org/x/text v0.3.0 has a known vulnerability [1], [2], [3] which
is resolved in v0.3.3

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14040
[2] https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
[3] golang/go#39491

Signed-off-by: Moshe Levi <moshele@nvidia.com>
sttts pushed a commit to sttts/kube-storage-version-migrator that referenced this issue Apr 19, 2021
@sanchezl @sttts
UPSTREAM: <carry>: Bug 1855638: update golang.org/x/text
642ce46 
See golang/go#39491
sttts pushed a commit to sttts/kube-storage-version-migrator that referenced this issue Apr 19, 2021
@sanchezl @sttts
UPSTREAM: <carry>: Bug 1855638: update golang.org/x/text
a33e364 
See golang/go#39491
sttts pushed a commit to sttts/kube-storage-version-migrator that referenced this issue Apr 19, 2021
@sanchezl @sttts
UPSTREAM: <carry>: Bug 1855638: update golang.org/x/text
684089e 
See golang/go#39491
@golang golang locked and limited conversation to collaborators Jun 16, 2021
AlexanderYastrebov pushed a commit to AlexanderYastrebov/go that referenced this issue Oct 3, 2021
@katiehockman
encoding/unicode: correctly handle single-byte UTF-16 inputs (and har…
23ae387 
…den transform.String)

If a single byte is passed to a UTF-16 decoder
with atEOF set, it should not ask for more src
with ErrShortSrc but return an error. Also harden
transform.String not to enter an infinite loop if a
Transformer does return ErrShortSrc with atEOF true.

Fixes golang#39491
Fixes CVE-2020-14040

Change-Id: If8d2a9bca4eb9b4270c98a4967d356082043e17e
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/768667
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-on: https://go-review.googlesource.com/c/text/+/238238
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@FiloSottile @abacabadabacaba @gopherbot @katiehockman