| module = "golang.org/x/text" |
| package = "golang.org/x/text/encoding/unicode" |
| |
| description = """ |
| An attacker could provide a single byte to a [`UTF16`] decoder instantiated with |
| [`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on |
| the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`]. |
| """ |
| |
| cve = "CVE-2020-14040" |
| |
| # This was reported by two people, once publicly and once |
| # to the security team. Perhaps this should be an array |
| # to capture multiple reporters? |
| credit = "@abacabadabacaba" # also Anton Gyllenberg |
| |
| symbols = ["utf16Decoder.Transform"] |
| |
| published = "2021-04-14T12:00:00Z" |
| |
| [[versions]] |
| fixed = "v0.3.3" |
| |
| [[additional_packages]] |
| module = "golang.org/x/text" |
| package = "golang.org/x/text/transform" |
| symbols = ["Transform"] |
| |
| [links] |
| pr = "https://go-review.googlesource.com/c/text/+/238238" |
| commit = "https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e" |
| context = [ |
| "https://github.com/golang/go/issues/39491", |
| "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0" |
| ] |
