Bug 1913333 (CVE-2020-28851) - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
Summary: CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28851
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1920256 1922729 1924082 1929288 1929292 1913335 1913336 1922258 1922730 1922731 1922732 1922733 1922735 1929256 1929284 1929285 1929286 1929287 1929289 1929290 1929291 1929293 1929294 1929295 1929536 1929539 1930193 1932143 1938283
Blocks: 1913367
TreeView+ depends on / blocked
 
Reported: 2021-01-06 14:30 UTC by Pedro Sampaio
Modified: 2021-08-06 00:50 UTC (History)
97 users (show)

Fixed In Version: golang.org/x/text 0.3.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang.org. In x/text, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension.
Clone Of:
Environment:
Last Closed: 2021-04-13 06:38:44 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:02 UTC

Description Pedro Sampaio 2021-01-06 14:30:24 UTC
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. x/text/language is supposed to be able to parse an HTTP Accept-Language header.

Upstream issue:

https://github.com/golang/go/issues/42535

Comment 1 Pedro Sampaio 2021-01-06 14:32:28 UTC
Created golang tracking bugs for this issue:

Affects: epel-7 [bug 1913336]
Affects: fedora-all [bug 1913335]

Comment 2 juneau 2021-01-14 15:34:59 UTC
Removed services which do not appear to use go{lang}, marked remaining services unaffected as specified version not found.

Comment 4 Jason Shepherd 2021-01-15 05:49:09 UTC
I couldn't find any calls to the affected function "ParseAcceptLanguage" in quay-clair-container, but filed tracking bugs anyway since we are using x/text/language in that container in 3.4 candidate build. As yet there is no fixed version of golang.org/x/text which we are aware of.

Comment 6 amctagga 2021-01-20 18:16:52 UTC
Changing CVSS to match NVD, in a worst case scenario.

Comment 18 Sam Fowler 2021-02-16 09:43:37 UTC
It can be shown with callgraph[0] which main packages use the affected code. A negative example with the operator-registry container[1]:

Identify main packages:

$ grep -rl --exclude-dir=vendor 'package main' . | grep -E '\.go$' | grep -v 'test' | grep -v 'hack' | xargs dirname 2>/dev/null | sort -u
./cmd/appregistry-server
./cmd/configmap-server
./cmd/initializer
./cmd/opm
./cmd/registry-server

Then iterate over these with `callgraph` and grep for any uses of the affected package:

$ callgraph -format digraph ./cmd/appregistry-server | grep golang.org/x/text/language
$

No results, so this package is not used by the "./cmd/appregistry-server" main package in the operator registry container. 

A positive example with the installer container[2]:

$ callgraph -format digraph ./cmd/openshift-install | golang.org/x/text/language
"(*golang.org/x/text/language.Tag).tag" "(golang.org/x/text/internal/language/compact.Tag).Tag"
"(golang.org/x/text/language.Tag).MarshalText" "(*golang.org/x/text/language.Tag).tag"
"(golang.org/x/text/language.Tag).MarshalText" "(golang.org/x/text/internal/language.Tag).MarshalText"
...

We can see that there are functions from the affected package used by "cmd/openshift-install". Therefore we can consider the openshift installer container affected by this CVE.

The was repeated for all OpenShift source code repositories.

[0] https://github.com/golang/tools/blob/master/cmd/callgraph/main.go
[1] https://github.com/operator-framework/operator-registry
[2] https://github.com/openshift/installer

Comment 21 Riccardo Schirone 2021-02-16 14:57:55 UTC
Created git-lfs tracking bugs for this issue:

Affects: fedora-all [bug 1929256]

Comment 25 Sam Fowler 2021-02-23 01:13:06 UTC
In reply to comment #18:
> It can be shown with callgraph[0] which main packages use the affected code.
> A negative example with the operator-registry container[1]:
> 
> Identify main packages:
> 
> $ grep -rl --exclude-dir=vendor 'package main' . | grep -E '\.go$' | grep -v
> 'test' | grep -v 'hack' | xargs dirname 2>/dev/null | sort -u
> ./cmd/appregistry-server
> ./cmd/configmap-server
> ./cmd/initializer
> ./cmd/opm
> ./cmd/registry-server
> 
> Then iterate over these with `callgraph` and grep for any uses of the
> affected package:

`go list -deps` can also be used instead of `callgraph`. Using `go list -deps`, we get the same list of OpenShift components. We can go further and say that the affected code is not only unused, it is not imported at all, and therefore not built into the binaries.

Comment 26 Sam Fowler 2021-02-23 01:13:18 UTC
Statement:

Below Red Hat products include the affected version of 'golang.org/x/text', however the language package is not being used and hence they are rated as having a security impact of Low. A future update may address this issue.

* Red Hat OpenShift Container Storage 4
* OpenShift ServiceMesh (OSSM)
* Red Hat Gluster Storage 3
* Windows Container Support for Red Hat OpenShift

Only three components in OpenShift Container Platform include the affected package, 'golang.org/x/text/language' , the installer, baremetal installer and thanos container images. All other components that include a version of 'golang.org/x/text' do not include the 'language' package and are therefore not affected.

Comment 29 errata-xmlrpc 2021-04-13 00:09:25 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168

Comment 30 Product Security DevOps Team 2021-04-13 06:38:44 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28851

Comment 33 errata-xmlrpc 2021-08-06 00:49:57 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016


Note You need to log in before you can comment on or make changes to this bug.