Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/text: panic in language.ParseAcceptLanguage while parsing -u- extension #42535

Closed
ph1048 opened this issue Nov 12, 2020 · 16 comments
Closed

x/text: panic in language.ParseAcceptLanguage while parsing -u- extension #42535

ph1048 opened this issue Nov 12, 2020 · 16 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@ph1048
Copy link

ph1048 commented Nov 12, 2020
edited

What version of Go are you using (go version)?

$ go version
go version go1.15.4 linux/amd64

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/sasha/.cache/go-build"
GOENV="/home/sasha/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/sasha/goenv/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/sasha/goenv"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build111267796=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.15.4 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.15.4
uname -sr: Linux 4.19.128-microsoft-standard
Distributor ID:	Kali
Description:	Kali GNU/Linux Rolling
Release:	2020.2
Codename:	kali-rolling
/lib/x86_64-linux-gnu/libc.so.6: GNU C Library (Debian GLIBC 2.31-3) stable release version 2.31.
gdb --version: GNU gdb (Debian 9.2-1) 9.2

What did you do?

https://play.golang.org/p/FCHj_rCBdiH

What did you expect to see?

Error via return value

What did you see instead?

panic: runtime error: index out of range [17] with length 14

goroutine 1 [running]:
golang.org/x/text/internal/language.Tag.findTypeForKey(0x202000000013e, 0xc00002c070, 0xe, 0x4d8c35, 0x2, 0x2d01104014010d0, 0x21127901ec11a0, 0x14e1470015e1424)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/internal/language/language.go:456 +0x366
golang.org/x/text/internal/language.Tag.TypeForKey(0x202000000013e, 0xc00002c070, 0xe, 0x4d8c35, 0x2, 0xe, 0x20)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/internal/language/language.go:307 +0x4d
golang.org/x/text/internal/language/compact.Make(0x202000000013e, 0xc00002c070, 0xe, 0xc00002c070, 0xe, 0x4fbf00)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/internal/language/compact/language.go:38 +0x65
golang.org/x/text/language.makeTag(...)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/language.go:25
golang.org/x/text/language.CanonType.Parse(0x17, 0x4da9c2, 0x10, 0x4da9c2, 0x10, 0x0, 0x0, 0x3fc0389239a6386c)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/parse.go:48 +0x145
golang.org/x/text/language.Parse(...)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/parse.go:34
golang.org/x/text/language.ParseAcceptLanguage(0x4da9c2, 0x10, 0xc000068f48, 0x442bca, 0x56ed40, 0xc000032778, 0xc000068f78, 0x405e25, 0xc00005e058, 0x0)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/parse.go:154 +0x165
main.main()
	/tmp/sandbox226474929/prog.go:10 +0x3a
@ph1048 ph1048 changed the title text/language: panic in language.ParseAcceptLanguage while parsing -u- extension x/text: panic in language.ParseAcceptLanguage while parsing -u- extension Nov 12, 2020
@gopherbot gopherbot added this to the Unreleased milestone Nov 12, 2020
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 13, 2020
@cagedmantis
Copy link
Contributor

/cc @mpvl

@carnil
Copy link

carnil commented Jan 2, 2021

CVE-2020-28851 appears to have been assigned for this issue.

@andyedwardsibm
Copy link

andyedwardsibm commented Jan 7, 2021
edited

Is a fix available for this, or any info on what version of go it will go into? Or is it just x/text that's affected and the fix will be there (may already be there)?

@dvasilen
Copy link

dvasilen commented Jan 21, 2021
edited

The latest text v0.3.5 #42536 (comment) still does not have a fix for this issue.

package main

import (
	"fmt"

	"golang.org/x/text/language"
)

func main() {
//	_, _, err := language.ParseAcceptLanguage("00-t-0o") // fixed CVE-2020-28852 
//	fmt.Println("Error:", err)
// Error: language: tag is not well-formed

	
	_, _, err := language.ParseAcceptLanguage("ES-v-00-u-000-00") // not fixed CVE-2020-28851
	fmt.Println("Error:", err)
// panic: runtime error: index out of range [17] with length 14
}

/cc @rsc

@dvasilen
Copy link

Any update/ETA on this issue is appreciated.

@benjsmi
Copy link

benjsmi commented Feb 4, 2021

+1 -- any word on the progress of this?

@rsc
Copy link
Contributor

rsc commented Feb 10, 2021

Discussed with @mpvl - this is in a different part of the code and still needs to be fixed. He will work on it.

@gopherbot
Copy link

Change https://golang.org/cl/293549 mentions this issue: language: allow variable number of types per key in -u- extension

@Jethzabell
Copy link

"Any update/ETA on this issue is appreciated."

@mpvl
Copy link
Contributor

mpvl commented Feb 27, 2021

@Jethzabell: submitted a fix.

@zhsj
Copy link
Contributor

zhsj commented Feb 28, 2021

A new tag on x/text is appreciated.

@dvasilen
Copy link

+1

@dvasilen
Copy link

dvasilen commented Mar 1, 2021

While we are waiting for the tag ... here is the go.mod update to pick up the fix

golang.org/x/text v0.3.6-0.20210227105805-e3aa4adf54f6

@benjsmi
Copy link

benjsmi commented Mar 18, 2021
edited

I'm somewhat new to the Go community, but I have observed that with go1.16.2, when you run go get golang.org/x/text/language, it still pulls version v0.3.5 of this module instead of the newly-fixed 0.3.6. Can someone help me track when that would/will change? So far, I've been watching on https://golang.org/doc/devel/release.html#go1.16 and also https://github.com/golang/go/issues?q=milestone%3AGo1.16.2+label%3ACherryPickApproved as examples.

I should note: I'm aware I can change the version that is used in my go.mod, but my team uses countless Go components that would need to be checked for the existence of golang.org/x/text -- it would be much much easier if the default version installed is the one mentioned by @dvasilen above.

@RSAlderman
Copy link

Any idea when the tagged v0.3.6 version with the fix will be available?

@mpvl
Copy link
Contributor

mpvl commented Mar 26, 2021 via email

Madhu-1 added a commit to Madhu-1/ceph-csi that referenced this issue Jun 4, 2021
@Madhu-1
rebase: update golang.org/x/text to 0.3.6
34dc43d 
update text package to 0.3.6 to fix CVE CVE-2020-28851

more details at golang/go#42535
and https://bugzilla.redhat.com/show_bug.cgi?id=1922730

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
@Madhu-1 Madhu-1 mentioned this issue Jun 4, 2021
Closed
@golang golang locked and limited conversation to collaborators Mar 26, 2022
xhit pushed a commit to xhit/text that referenced this issue Oct 10, 2022
@mpvl @xhit
language: allow variable number of types per key in -u- extension
3b780af 
This also fixes CVE-2020-28851. This was an off-by one
error, but is fixed by handling all cases according to the spec.

These valid case seem to be not used in practice much,
if at all, but the main benefit is that it makes all valid BCP 47
language tags also valid -u extensions. Fixing the code
to handle BCP 47 results in cleaner and seemingly more
robust code.

The main difference is as follows. The old impementation
assumed a -u- extension of the form:

    <tag> "-u"  { "-" <attr> } { "-" <key> "-" <type> } [ <otherExtensions> ]

where <attr> and <type> are of length 3-8 and a <key> is of length 2.

According to the spec, though, the format is

    <tag> "-u"  { "-" <attr> } { "-" <key> { "-" <type> } } [ <otherExtensions> ]

So every key may be associated with zero or more types, instead of
exactly one.

The new code now handles this.

The language.Tag.TypeForKey method is now defined to only
return the first entry or nothing at all. This is for backwards
compatibilty reasons.

Fixes golang/go#42535

Change-Id: I23aec4e1c4d8807fc2ffc0eb3a08de2d8150219f
Reviewed-on: https://go-review.googlesource.com/c/text/+/293549
Trust: Marcel van Lohuizen <mpvl@golang.org>
Run-TryBot: Marcel van Lohuizen <mpvl@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests