reports/GO-2020-0015.yaml - vulndb - Git at Google

 module: golang.org/x/text
 package: golang.org/x/text/encoding/unicode
 additional_packages:
 - module: golang.org/x/text
   package: golang.org/x/text/transform
   symbols:
   - Transform
 versions:
 - fixed: v0.3.3
 description: |
   An attacker could provide a single byte to a [`UTF16`] decoder instantiated with
   [`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on
   the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`].
 published: 2021-04-14T12:00:00Z
 cve: CVE-2020-14040
 credit: '@abacabadabacaba and Anton Gyllenberg'
 symbols:
 - utf16Decoder.Transform
 links:
   pr: https://go-review.googlesource.com/c/text/+/238238
   commit: https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
   context:
   - https://github.com/golang/go/issues/39491
   - https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0
	module: golang.org/x/text
	package: golang.org/x/text/encoding/unicode
	additional_packages:
	- module: golang.org/x/text
	package: golang.org/x/text/transform
	symbols:
	- Transform
	versions:
	- fixed: v0.3.3
	description: \|
	An attacker could provide a single byte to a [`UTF16`] decoder instantiated with
	[`UseBOM`] or [`ExpectBOM`] to trigger an infinite loop if the [`String`] function on
	the [`Decoder`] is called, or the [`Decoder`] is passed to [`transform.String`].
	published: 2021-04-14T12:00:00Z
	cve: CVE-2020-14040
	credit: '@abacabadabacaba and Anton Gyllenberg'
	symbols:
	- utf16Decoder.Transform
	links:
	pr: https://go-review.googlesource.com/c/text/+/238238
	commit: https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
	context:
	- https://github.com/golang/go/issues/39491
	- https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0