Hello gophers, Version v0.3.3 of golang.org/x/text fixes a vulnerability in the golang.org/x/text/encoding/unicode package which could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory.
An attacker could provide a single byte to a UTF16 <https://pkg.go.dev/golang.org/x/text/encoding/unicode?tab=doc#UTF16> decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String <https://pkg.go.dev/golang.org/x/text/encoding?tab=doc#Decoder.String> function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String <https://pkg.go.dev/golang.org/x/text/transform?tab=doc#String>. transform.String has also been hardened not to enter an infinite loop if a Transformer <https://pkg.go.dev/golang.org/x/text/transform?tab=doc#Transformer> keeps returning ErrShortSrc <https://pkg.go.dev/golang.org/x/text/transform?tab=doc#ErrShortSrc> even if atEOF is true. This issue was first filed as Issue 39491 <https://golang.org/issue/39491> by GitHub user abacabadabacaba <https://github.com/abacabadabacaba> and reported to the security team by Anton Gyllenberg. It is tracked as CVE-2020-14040. Cheers, Katie for the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CALvTBvc82P_AsSDvrDb8b%3D7sbX05vtdxG3n%2BzuvzvrthDCfHXQ%40mail.gmail.com.