blob: dca9f358ec3c60f4cf16195350329ddef41a37b4 [file] [log] [blame]
packages:
- module: golang.org/x/text
package: golang.org/x/text/encoding/unicode
symbols:
- utf16Decoder.Transform
derived_symbols:
- bomOverride.Transform
versions:
- fixed: 0.3.3
- module: golang.org/x/text
package: golang.org/x/text/transform
symbols:
- Transform
versions:
- fixed: 0.3.3
description: |
An attacker could provide a single byte to a UTF16 decoder instantiated with
UseBOM or ExpectBOM to trigger an infinite loop if the String function on
the Decoder is called, or the Decoder is passed to transform.String.
If used to parse user supplied input, this may be used as a denial of service
vector.
published: 2021-04-14T20:04:52Z
last_modified: 2021-06-07T12:00:00Z
cves:
- CVE-2020-14040
ghsas:
- GHSA-5rcv-m4m3-hfh7
credit: '@abacabadabacaba and Anton Gyllenberg'
links:
pr: https://go.dev/cl/238238
commit: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
context:
- https://go.dev/issue/39491
- https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0