Upstream information
CVE-2020-14040 at MITRE
Description
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
CVSS v2 Scores
| National Vulnerability Database |
Base Score | 5 |
Vector | AV:N/AC:L/Au:N/C:N/I:N/A:P |
Access Vector | Network |
Access Complexity | Low |
Authentication | None |
Confidentiality Impact | None |
Integrity Impact | None |
Availability Impact | Partial |
CVSS v3 Scores
| National Vulnerability Database | SUSE |
Base Score | 7.5 | 7.5 |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Attack Vector | Network | Network |
Attack Complexity | Low | Low |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | None | None |
Integrity Impact | None | None |
Availability Impact | High | High |
CVSSv3 Version | 3.1 | 3.1 |
SUSE Bugzilla entry:
1174397 [RESOLVED / INVALID]
No SUSE Security Announcements cross referenced.
List of released packages
Product(s) | Fixed package version(s) | References |
SUSE Liberty Linux 8 | buildah >= 1.15.1-2.module+el8.3.0+8221+97165c3f
buildah-tests >= 1.15.1-2.module+el8.3.0+8221+97165c3f
cockpit-podman >= 18.1-2.module+el8.3.0+8221+97165c3f
conmon >= 2.0.20-2.module+el8.3.0+8221+97165c3f
container-selinux >= 2.144.0-1.module+el8.3.0+8221+97165c3f
containernetworking-plugins >= 0.8.6-2.module+el8.3.0+8221+97165c3f
containers-common >= 1.1.1-3.module+el8.3.0+8221+97165c3f
crit >= 3.14-2.module+el8.3.0+8221+97165c3f
criu >= 3.14-2.module+el8.3.0+8221+97165c3f
crun >= 0.14.1-2.module+el8.3.0+8221+97165c3f
delve >= 1.3.2-3.module+el8.2.0+5581+896cb53e
fuse-overlayfs >= 1.1.2-3.module+el8.3.0+8221+97165c3f
go-toolset >= 1.13.15-1.module+el8.2.0+7662+fa98b974
golang >= 1.13.15-1.module+el8.2.0+7662+fa98b974
golang-bin >= 1.13.15-1.module+el8.2.0+7662+fa98b974
golang-docs >= 1.13.15-1.module+el8.2.0+7662+fa98b974
golang-misc >= 1.13.15-1.module+el8.2.0+7662+fa98b974
golang-race >= 1.13.15-1.module+el8.2.0+7662+fa98b974
golang-src >= 1.13.15-1.module+el8.2.0+7662+fa98b974
golang-tests >= 1.13.15-1.module+el8.2.0+7662+fa98b974
libslirp >= 4.3.1-1.module+el8.3.0+8221+97165c3f
libslirp-devel >= 4.3.1-1.module+el8.3.0+8221+97165c3f
oci-seccomp-bpf-hook >= 1.1.2-3.module+el8.3.0+8221+97165c3f
podman >= 2.0.5-5.module+el8.3.0+8221+97165c3f
podman-catatonit >= 2.0.5-5.module+el8.3.0+8221+97165c3f
podman-docker >= 2.0.5-5.module+el8.3.0+8221+97165c3f
podman-remote >= 2.0.5-5.module+el8.3.0+8221+97165c3f
podman-tests >= 2.0.5-5.module+el8.3.0+8221+97165c3f
python-podman-api >= 1.2.0-0.2.gitd0a45fe.module+el8.3.0+8221+97165c3f
python3-criu >= 3.14-2.module+el8.3.0+8221+97165c3f
runc >= 1.0.0-68.rc92.module+el8.3.0+8221+97165c3f
skopeo >= 1.1.1-3.module+el8.3.0+8221+97165c3f
skopeo-tests >= 1.1.1-3.module+el8.3.0+8221+97165c3f
slirp4netns >= 1.1.4-2.module+el8.3.0+8221+97165c3f
toolbox >= 0.0.8-1.module+el8.3.0+8221+97165c3f
udica >= 0.2.2-1.module+el8.3.0+8221+97165c3f
| Patchnames: RHSA-2020:3665 RHSA-2020:4694 |
SUSE Timeline for this CVE
CVE page created: Thu Jun 18 04:12:28 2020
CVE page last modified: Mon Oct 30 18:10:06 2023