blob: d630e565f9443433856956c12e31ca1d7f7c43d9 [file] [log] [blame]
module = "golang.org/x/text"
package = "golang.org/x/text/encoding/unicode"
description = """
An attacker could provide a single byte to a [`UTF16`] decoder instantiated with
[`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on
the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`].
"""
cve = "CVE-2020-14040"
# This was reported by two people, once publicly and once
# to the security team. Perhaps this should be an array
# to capture multiple reporters?
credit = "@abacabadabacaba" # also Anton Gyllenberg
symbols = ["utf16Decoder.Transform"]
published = "2021-04-14T12:00:00Z"
[[versions]]
fixed = "v0.3.3"
[[additional_packages]]
module = "golang.org/x/text"
package = "golang.org/x/text/transform"
symbols = ["Transform"]
[links]
pr = "https://go-review.googlesource.com/c/text/+/238238"
commit = "https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
context = [
"https://github.com/golang/go/issues/39491",
"https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
]