Bug 1913338 (CVE-2020-28852) - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
Summary: CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28852
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1913364 1913365 1920258 1922258 1922724 1922725 1922726 1922727 1922728 1922736 1924082 1929297 1929298 1929299 1929300 1929301 1929302 1929303 1929304 1929305 1929306 1929307 1929309 1929536 1929539 1929540 1930194 1938281 2134421 2134422
Blocks: 1913367
TreeView+ depends on / blocked
 
Reported: 2021-01-06 14:36 UTC by Pedro Sampaio
Modified: 2024-03-12 09:07 UTC (History)
94 users (show)

Fixed In Version: golang.org/x/text 0.3.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang.org. In x/text, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag.
Clone Of:
Environment:
Last Closed: 2021-04-13 06:38:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:31:40 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:05 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:35:48 UTC
Red Hat Product Errata RHSA-2022:1276 0 None None None 2022-04-07 17:58:41 UTC
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:29:47 UTC
Red Hat Product Errata RHSA-2022:7954 0 None None None 2022-11-15 09:47:39 UTC

Description Pedro Sampaio 2021-01-06 14:36:21 UTC 
In x/text in Go 1.15.4, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. x/text/language is supposed to be able to parse an HTTP Accept-Language header.

Upstream issue:

https://github.com/golang/go/issues/42536
Comment 1 Pedro Sampaio 2021-01-06 15:17:18 UTC 
Created golang tracking bugs for this issue:

Affects: epel-7 [bug 1913365]
Affects: fedora-all [bug 1913364]
Comment 2 Doran Moppert 2021-01-11 12:45:13 UTC 
Upstream patch: https://github.com/golang/text/commit/4482a914f52311356f6f4b7a695d4075ca22c0c6
Comment 3 juneau 2021-01-14 15:35:13 UTC 
Removed services which do not appear to use go{lang}, marked remaining services unaffected as specified version not found.
Comment 5 Sage McTaggart 2021-01-20 18:18:12 UTC 
changing score to match worst case scenario, with NVD's score chosen. This could lead to a DOS of anything running on golang, though not our underlying system.
Comment 7 Sam Fowler 2021-01-22 06:48:18 UTC 
Running deplist[0] on all OCP4 source repos (for the latest current release) gives us the following:

cluster-logging-operator-container:               golang.org/x/text/language  v0.3.2
cluster-node-tuning-operator-container:           golang.org/x/text/language  v0.3.3
csi-driver-manila-container:                      golang.org/x/text/language  v0.3.2
csi-driver-nfs-container:                         golang.org/x/text/language  v0.3.1-0.20181227161524-e6919f6577db
elasticsearch-operator-container:                 golang.org/x/text/language  v0.3.2
local-storage-diskmaker-container:                golang.org/x/text/language  v0.3.3
local-storage-operator-container:                 golang.org/x/text/language  v0.3.3
multus-cni-container:                             golang.org/x/text/language  v0.3.3
node-feature-discovery-container:                 golang.org/x/text/language  v0.3.3
openshift-enterprise-ansible-operator-container:  golang.org/x/text/language  v0.3.3
openshift-enterprise-helm-operator-container:     golang.org/x/text/language  v0.3.3
openshift-enterprise-hyperkube-container:         golang.org/x/text/language  v0.3.3
openshift-enterprise-tests-container:             golang.org/x/text/language  v0.3.3
ose-aws-ebs-csi-driver-container:                 golang.org/x/text/language  v0.3.2
ose-baremetal-installer-container:                golang.org/x/text/language  v0.3.3
ose-elasticsearch-proxy-container:                golang.org/x/text/language  v0.3.2
ose-installer-artifacts-container:                golang.org/x/text/language  v0.3.3
ose-installer-container:                          golang.org/x/text/language  v0.3.3
ose-network-metrics-daemon-container:             golang.org/x/text/language  v0.3.3
ose-ptp-operator-container:                       golang.org/x/text/language  v0.3.3
sriov-network-config-daemon-container:            golang.org/x/text/language  v0.3.3
sriov-network-must-gather-container:              golang.org/x/text/language  v0.3.3
sriov-network-operator-container:                 golang.org/x/text/language  v0.3.3
sriov-network-webhook-container:                  golang.org/x/text/language  v0.3.3
cri-o:                                            golang.org/x/text/language  v0.3.3
cri-tools:                                        golang.org/x/text/language  v0.3.3
openshift:                                        golang.org/x/text/language  v0.3.3
podman:                                           golang.org/x/text/language  v0.3.2

[0] https://github.com/mcoops/deplist
Comment 8 Sam Fowler 2021-01-22 06:50:02 UTC 
For OCP 3.11, we need to use `go list -deps ./...` instead of deplist[0] , because deplist doesn't support glide. We lose version numbers with `go list`, however our results are:

atomic-enterprise-service-catalog:       golang.org/x/text/language
atomic-openshift-descheduler:            golang.org/x/text/language
atomic-openshift-dockerregistry:         golang.org/x/text/language
atomic-openshift:                        golang.org/x/text/language
atomic-openshift-metrics-server:         golang.org/x/text/language
atomic-openshift-node-problem-detector:  golang.org/x/text/language
atomic-openshift-service-idler:          golang.org/x/text/language
atomic-openshift-web-console:            golang.org/x/text/language
csi-attacher:                            golang.org/x/text/language
csi-driver-registrar:                    golang.org/x/text/language
csi-livenessprobe:                       golang.org/x/text/language
csi-provisioner:                         golang.org/x/text/language
golang-github-openshift-oauth-proxy:     golang.org/x/text/language
golang-github-prometheus-prometheus:     golang.org/x/text/language
heapster:                                golang.org/x/text/language
openshift-enterprise-cluster-capacity:   golang.org/x/text/language
openshift-enterprise-image-registry:     golang.org/x/text/language
openshift-external-storage:              golang.org/x/text/language
podman:                                  golang.org/x/text/language

[0] https://github.com/mcoops/deplist
Comment 19 Sam Fowler 2021-02-16 09:46:12 UTC 
It can be shown with callgraph[0] which main packages use the affected code. A negative example with the operator-registry container[1]:

Identify main packages:

$ grep -rl --exclude-dir=vendor 'package main' . | grep -E '\.go$' | grep -v 'test' | grep -v 'hack' | xargs dirname 2>/dev/null | sort -u
./cmd/appregistry-server
./cmd/configmap-server
./cmd/initializer
./cmd/opm
./cmd/registry-server

Then iterate over these with `callgraph` and grep for any uses of the affected package:

$ callgraph -format digraph ./cmd/appregistry-server | grep golang.org/x/text/language
$

No results, so this package is not used by the "./cmd/appregistry-server" main package in the operator registry container. 

A positive example with the installer container[2]:

$ callgraph -format digraph ./cmd/openshift-install | golang.org/x/text/language
"(*golang.org/x/text/language.Tag).tag" "(golang.org/x/text/internal/language/compact.Tag).Tag"
"(golang.org/x/text/language.Tag).MarshalText" "(*golang.org/x/text/language.Tag).tag"
"(golang.org/x/text/language.Tag).MarshalText" "(golang.org/x/text/internal/language.Tag).MarshalText"
...

We can see that there are functions from the affected package used by "cmd/openshift-install". Therefore we can consider the openshift installer container affected by this CVE.

The was repeated for all OpenShift source code repositories.

[0] https://github.com/golang/tools/blob/master/cmd/callgraph/main.go
[1] https://github.com/operator-framework/operator-registry
[2] https://github.com/openshift/installer
Comment 26 Sam Fowler 2021-02-23 01:13:02 UTC 
In reply to comment #19:
> It can be shown with callgraph[0] which main packages use the affected code.
> A negative example with the operator-registry container[1]:
> 
> Identify main packages:
> 
> $ grep -rl --exclude-dir=vendor 'package main' . | grep -E '\.go$' | grep -v
> 'test' | grep -v 'hack' | xargs dirname 2>/dev/null | sort -u
> ./cmd/appregistry-server
> ./cmd/configmap-server
> ./cmd/initializer
> ./cmd/opm
> ./cmd/registry-server
> 
> Then iterate over these with `callgraph` and grep for any uses of the
> affected package:

`go list -deps` can also be used instead of `callgraph`. Using `go list -deps`, we get the same list of OpenShift components. We can go further and say that the affected code is not only unused, it is not imported at all, and therefore not built into the binaries.
Comment 27 Sam Fowler 2021-02-23 01:13:18 UTC 
Statement:

Below Red Hat products include the affected version of 'golang.org/x/text', however the language package is not being used and hence they are rated as having a security impact of Low. A future update may address this issue.

* Red Hat OpenShift Container Storage 4
* OpenShift ServiceMesh (OSSM)
* Red Hat Gluster Storage 3
* Windows Container Support for Red Hat OpenShift

Only three components in OpenShift Container Platform include the affected package, 'golang.org/x/text/language' , the installer, baremetal installer and thanos container images. All other components that include a version of 'golang.org/x/text' do not include the 'language' package and are therefore not affected.
Comment 30 errata-xmlrpc 2021-04-13 00:09:30 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168
Comment 31 Product Security DevOps Team 2021-04-13 06:38:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28852
Comment 33 errata-xmlrpc 2021-07-27 22:31:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 34 errata-xmlrpc 2021-08-06 00:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 35 errata-xmlrpc 2022-03-28 09:35:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Comment 36 errata-xmlrpc 2022-04-07 17:58:36 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 37 errata-xmlrpc 2022-10-25 09:29:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129
Comment 38 errata-xmlrpc 2022-11-15 09:47:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7954 https://access.redhat.com/errata/RHSA-2022:7954
Note You need to log in before you can comment on or make changes to this bug.