Bug 1853652 (CVE-2020-14040)

Summary: CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, abonas, adam.kaplan, admiller, agarcial, aileenc, alegrand, alitke, amackenz, amasferr, amcdermo, amurdaca, anpicker, aos-bugs, aos-install, aos-storage-staff, asm, ataylor, avicenzi, bbaude, bbennett, bbrownin, bdettelb, bibryam, bmontgom, bodavis, chazlett, cnv-qe-bugs, dbaker, dbecker, deparker, drieden, dwalsh, ecordell, emachado, eparis, eric.wittmann, erooth, fdeutsch, ganandan, gbrown, ggaughan, gghezzo, gmalinko, gparvin, hchiramm, hvyas, inecas, janstey, jburrell, jcajka, jcantril, jesusr, jhadvig, jjoyce, jlanford, jligon, jmulligan, jnovy, jochrist, jokerman, jpadman, jramanat, jschluet, jschorr, jweiser, jwon, kakkoyun, kconner, krathod, law, lcosic, lemenkov, lhh, lmohanty, lpeer, lsm5, madam, markito, maszulik, mburns, mcooper, mcressma, mfojtik, mheon, mkudlej, mkunc, mloibl, mnewsome, nalin, nstielau, obulatov, pantinor, pbhattac, phoracek, pkrupa, pthomas, puebele, rcernich, renich, rhs-bugs, rphillips, rrajasek, rtalur, sbatsche, sclewis, sd-operator-metering, sejug, sgott, shurley, slinaber, sponnaga, stcannon, storage-qa-internal, sttts, surbania, thee, tjelinek, tjochec, tkral, tomckay, tross, tschelle, tstellar, tsweeney, umohnani, vbatts, vbellur, vbobade, wzheng, zkosic
Target Milestone: ---Keywords: Security, UpcomingSprint
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang.org/x/text 0.3.3 Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-22 13:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1853653, 1853654, 1854693, 1854694, 1854695, 1854714, 1854715, 1854716, 1854717, 1854718, 1854719, 1854832, 1854833, 1854834, 1854835, 1854837, 1854838, 1854840, 1855568, 1855569, 1855570, 1855571, 1855572, 1855573, 1855575, 1855576, 1855577, 1855578, 1855579, 1855580, 1855581, 1855582, 1855583, 1855584, 1855586, 1855587, 1855588, 1855589, 1855590, 1855591, 1855592, 1855593, 1855594, 1855597, 1855598, 1855599, 1855600, 1855601, 1855602, 1855603, 1855604, 1855605, 1855606, 1855607, 1855608, 1855609, 1855610, 1855611, 1855612, 1855613, 1855614, 1855615, 1855616, 1855617, 1855618, 1855619, 1855620, 1855621, 1855623, 1855624, 1855625, 1855626, 1855627, 1855628, 1855629, 1855630, 1855631, 1855632, 1855633, 1855634, 1855635, 1855636, 1855637, 1855638, 1855639, 1855640, 1855641, 1855642, 1855643, 1855644, 1855645, 1855646, 1855647, 1855648, 1855649, 1855650, 1855654, 1855655, 1855656, 1855657, 1855658, 1855659, 1855660, 1855661, 1855662, 1855663, 1855664, 1855665, 1855666, 1855667, 1855668, 1855669, 1855670, 1855671, 1855672, 1855673, 1855674, 1855675, 1855676, 1855679, 1855680, 1855681, 1855682, 1855683, 1855684, 1855685, 1855686, 1855687, 1855688, 1855689, 1855690, 1855691, 1855692, 1855693, 1855694, 1855695, 1855696, 1855697, 1855698, 1855699, 1855700, 1855701, 1855702, 1855703, 1856127, 1856128, 1856129, 1856130, 1856131, 1856132, 1856133, 1856134, 1856135, 1856136, 1856137, 1856138, 1856140, 1856141, 1856142, 1856143, 1856144, 1856145, 1856146, 1856147, 1856148, 1856150, 1856151, 1856152, 1856153, 1856190, 1856191, 1856192, 1856193, 1856194, 1856195, 1856196, 1856197, 1856198, 1856199, 1856200, 1856201, 1856202, 1856203, 1856204, 1856205, 1856206, 1856207, 1856208, 1856209, 1856210, 1856211, 1856212, 1856213, 1856214, 1856215, 1856216, 1856217, 1856218, 1856219, 1856220, 1856221, 1856222, 1856223, 1856224, 1856225, 1856226, 1856227, 1856228, 1856229, 1856230, 1856231, 1856233, 1856234, 1856235, 1856286, 1857030, 1857031, 1857032, 1857033, 1857034, 1857035, 1857107, 1857108, 1857109, 1857110, 1857111, 1857112, 1857682, 1858217, 1858837, 1865873, 1866052, 1866054, 1866057, 1866058, 1881539, 1881575, 1893686, 1894171, 1895446, 1901782, 1901783, 1901784, 1901785, 1901786, 1901787, 1901788, 1901789, 1901790, 1932326, 1932327, 1932328, 1932329, 1932330, 1932331, 1932332, 1932333, 1932334, 1932335, 1932336, 1932337, 1932338, 1932339, 1932340, 1932342, 1932343, 1932344, 1932345, 1932346, 1932347, 1932348, 1932349, 1932350, 1932351, 1932352, 1932353, 1932354, 1932355, 1932356, 1932357, 1932358, 1932359, 1932360, 1932361, 1932481, 1932498, 1932617, 1932632, 1932633, 1932665, 1932668, 1933062, 1933068, 1933073, 1933104, 1933106, 1933136, 1938297, 1938355, 1939647, 1951707, 1977541, 1977542    
Bug Blocks: 1853655    

Description Marian Rehak 2020-07-03 13:29:43 UTC 
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Upstream Reference:

https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0?pli=1
Comment 1 Marian Rehak 2020-07-03 13:30:20 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1853654]
Affects: fedora-all [bug 1853653]
Comment 28 Mark Cooper 2020-07-13 01:03:52 UTC 
Git commit: https://go-review.googlesource.com/c/text/+/238238
Comment 29 Mark Cooper 2020-07-13 01:06:14 UTC 
Statement:

OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.
Comment 33 Hardik Vyas 2020-07-15 12:07:52 UTC 
External References:

https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
https://github.com/golang/go/issues/39491
Comment 38 errata-xmlrpc 2020-07-22 07:33:40 UTC 
This issue has been addressed in the following products:

  Jaeger-1.17

Via RHSA-2020:3087 https://access.redhat.com/errata/RHSA-2020:3087
Comment 39 Product Security DevOps Team 2020-07-22 13:27:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14040
Comment 40 errata-xmlrpc 2020-08-06 20:17:54 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369
Comment 41 errata-xmlrpc 2020-08-06 20:21:51 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:3372 https://access.redhat.com/errata/RHSA-2020:3372
Comment 45 errata-xmlrpc 2020-09-08 09:47:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665
Comment 46 errata-xmlrpc 2020-09-08 10:09:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:3578 https://access.redhat.com/errata/RHSA-2020:3578
Comment 47 errata-xmlrpc 2020-09-16 07:56:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:3727 https://access.redhat.com/errata/RHSA-2020:3727
Comment 48 errata-xmlrpc 2020-09-21 19:50:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:3780 https://access.redhat.com/errata/RHSA-2020:3780
Comment 49 errata-xmlrpc 2020-09-22 07:15:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:3783 https://access.redhat.com/errata/RHSA-2020:3783
Comment 52 errata-xmlrpc 2020-10-08 10:50:37 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214
Comment 54 errata-xmlrpc 2020-10-27 14:53:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297
Comment 55 errata-xmlrpc 2020-10-27 16:24:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
Comment 58 errata-xmlrpc 2020-11-04 03:05:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4694 https://access.redhat.com/errata/RHSA-2020:4694
Comment 59 errata-xmlrpc 2020-11-10 13:52:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:5054 https://access.redhat.com/errata/RHSA-2020:5054
Comment 60 errata-xmlrpc 2020-11-10 13:53:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:5055 https://access.redhat.com/errata/RHSA-2020:5055
Comment 61 errata-xmlrpc 2020-11-10 13:54:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:5056 https://access.redhat.com/errata/RHSA-2020:5056
Comment 62 errata-xmlrpc 2020-11-18 15:07:27 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.11

Via RHSA-2020:5149 https://access.redhat.com/errata/RHSA-2020:5149
Comment 63 errata-xmlrpc 2020-11-24 09:02:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2020:5198 https://access.redhat.com/errata/RHSA-2020:5198
Comment 65 errata-xmlrpc 2020-12-17 05:42:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2020:5606 https://access.redhat.com/errata/RHSA-2020:5606
Comment 66 errata-xmlrpc 2020-12-17 06:22:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2020:5605 https://access.redhat.com/errata/RHSA-2020:5605
Comment 67 errata-xmlrpc 2021-02-04 16:14:48 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
Comment 74 errata-xmlrpc 2021-02-24 15:00:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5635 https://access.redhat.com/errata/RHSA-2020:5635
Comment 75 errata-xmlrpc 2021-02-24 15:10:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
Comment 78 errata-xmlrpc 2021-03-10 11:15:20 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 80 errata-xmlrpc 2021-03-24 12:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7

Via RHSA-2021:0980 https://access.redhat.com/errata/RHSA-2021:0980
Comment 82 errata-xmlrpc 2021-04-07 10:31:24 UTC 
This issue has been addressed in the following products:

  3scale API Management

Via RHSA-2021:1129 https://access.redhat.com/errata/RHSA-2021:1129
Comment 83 errata-xmlrpc 2021-04-13 00:09:29 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168
Comment 86 errata-xmlrpc 2021-04-26 15:56:02 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7

Via RHSA-2021:1369 https://access.redhat.com/errata/RHSA-2021:1369
Comment 87 errata-xmlrpc 2021-05-19 08:01:17 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039
Comment 91 errata-xmlrpc 2021-08-11 18:25:47 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140