Headline
CVE-2020-28852: x/text: panic in language.ParseAcceptLanguage while processing bcp47 tag · Issue #42536 · golang/go
In x/text in Go before v0.3.5, a “slice bounds out of range” panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
What version of Go are you using (go version)?
$ go version go version go1.15.4 linux/amd64
Does this issue reproduce with the latest release?****What operating system and processor architecture are you using (go env)?go env Output
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/home/sasha/.cache/go-build" GOENV="/home/sasha/.config/go/env" GOEXE="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/home/sasha/goenv/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/home/sasha/goenv" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build111267796=/tmp/go-build -gno-record-gcc-switches" GOROOT/bin/go version: go version go1.15.4 linux/amd64 GOROOT/bin/go tool compile -V: compile version go1.15.4 uname -sr: Linux 4.19.128-microsoft-standard Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2020.2 Codename: kali-rolling /lib/x86_64-linux-gnu/libc.so.6: GNU C Library (Debian GLIBC 2.31-3) stable release version 2.31. gdb --version: GNU gdb (Debian 9.2-1) 9.2 What did you do?
https://play.golang.org/p/SwAU9tKYRsj
What did you expect to see?
Error via return value
What did you see instead?
panic: runtime error: slice bounds out of range [9:8]
goroutine 1 [running]:
golang.org/x/text/internal/language.(*scanner).resizeRange(0xc000068d08, 0x6, 0x8, 0x3)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/internal/language/parse.go:142 +0x2e7
golang.org/x/text/internal/language.(*scanner).replace(...)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/internal/language/parse.go:151
golang.org/x/text/internal/language.parseTag(0xc000068d08, 0x0, 0x0, 0x0, 0xc00007e0a3)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/internal/language/parse.go:296 +0x13b
golang.org/x/text/internal/language.parseExtension(0xc000068d08, 0x8)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/internal/language/parse.go:552 +0xe74
golang.org/x/text/internal/language.parseExtensions(0xc000068d08, 0x3030000000000)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/internal/language/parse.go:451 +0xa5
golang.org/x/text/internal/language.parse(0xc000068d08, 0x4d9210, 0x7, 0x3030000000000, 0x0, 0x0, 0x0, 0x0)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/internal/language/parse.go:268 +0x2bc
golang.org/x/text/internal/language.Parse(0x4d9210, 0x7, 0x0, 0x0, 0x0, 0x4b1185, 0x4d9210)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/internal/language/parse.go:250 +0x1c7
golang.org/x/text/language.CanonType.Parse(0x17, 0x4d9210, 0x7, 0x4d9210, 0x7, 0x0, 0x0, 0x3fc0389239a6386c)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/language/parse.go:46 +0x3f
golang.org/x/text/language.Parse(...)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/language/parse.go:34
golang.org/x/text/language.ParseAcceptLanguage(0x4d9210, 0x7, 0xc000068f48, 0x442bca, 0x56ed40, 0xc000032778, 0xc000068f78, 0x405e25, 0xc00005e058, 0x0)
/tmp/gopath300097471/pkg/mod/golang.org/x/[email protected]/language/parse.go:154 +0x165
main.main()
/tmp/sandbox168582112/prog.go:10 ##+0x3aRelated news
Ubuntu Security Notice 5873-1 - It was discovered that Go Text incorrectly handled certain encodings. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that Go Text incorrectly handled certain BCP 47 language tags. An attacker could possibly use this issue to cause a denial of service. CVE-2020-28851, CVE-2020-28852, and CVE-2021-38561 affected only Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
An update for podman is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2021-4024: podman: podman machine spawns gvproxy with port bound to all IPs * CVE-2021-20199: podman: Remote traffic to rootless containers is seen as orgin...
Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.
An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...