| module: golang.org/x/text |
| package: golang.org/x/text/encoding/unicode |
| additional_packages: |
| - module: golang.org/x/text |
| package: golang.org/x/text/transform |
| symbols: |
| - Transform |
| versions: |
| - fixed: v0.3.3 |
| versions: |
| - fixed: v0.3.3 |
| description: | |
| An attacker could provide a single byte to a [`UTF16`] decoder instantiated with |
| [`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on |
| the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`]. |
| If used to parse user supplied input, this may be used as a denial of service |
| vector. |
| published: 2021-04-14T12:00:00Z |
| last_modified: 2021-06-07T12:00:00Z |
| cve: CVE-2020-14040 |
| credit: "@abacabadabacaba and Anton Gyllenberg" |
| symbols: |
| - utf16Decoder.Transform |
| links: |
| pr: https://go-review.googlesource.com/c/text/+/238238 |
| commit: https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e |
| context: |
| - https://github.com/golang/go/issues/39491 |
| - https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0 |