blob: 7b1e289d596e1a4ef6442aac0c2c10c12c770b69 [file] [log] [blame]
module: golang.org/x/text
package: golang.org/x/text/encoding/unicode
additional_packages:
- module: golang.org/x/text
package: golang.org/x/text/transform
symbols:
- Transform
versions:
- fixed: v0.3.3
versions:
- fixed: v0.3.3
description: |
An attacker could provide a single byte to a [`UTF16`] decoder instantiated with
[`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on
the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`].
If used to parse user supplied input, this may be used as a denial of service
vector.
published: 2021-04-14T12:00:00Z
last_modified: 2021-06-07T12:00:00Z
cve: CVE-2020-14040
credit: "@abacabadabacaba and Anton Gyllenberg"
symbols:
- utf16Decoder.Transform
links:
pr: https://go-review.googlesource.com/c/text/+/238238
commit: https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
context:
- https://github.com/golang/go/issues/39491
- https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0