Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/text/language: ParseAcceptLanguage takes a long time to parse complex tags #56152

Closed
rolandshoemaker opened this issue Oct 11, 2022 · 5 comments
Closed

x/text/language: ParseAcceptLanguage takes a long time to parse complex tags #56152

rolandshoemaker opened this issue Oct 11, 2022 · 5 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Oct 11, 2022
edited

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers.

This is a PRIVATE issue for CVE-2022-32149, tracked in http://b/238189978 and fixed by http://tg/1565112

/cc @golang/security
@gopherbot
Copy link

Change https://go.dev/cl/442235 mentions this issue: language: reject excessively large Accept-Language strings

@rolandshoemaker rolandshoemaker changed the title security: fix CVE-2022-32149 x/text/language: ParseAcceptLanguage takes a long time to parse complex tags Oct 11, 2022
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 11, 2022
@dmitshur dmitshur added this to the Unreleased milestone Oct 11, 2022
ajm188 added a commit to planetscale/vitess that referenced this issue Oct 11, 2022
@ajm188
[deps] go get golang.org/x/text && go mod tidy
bdb05ca 
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>
@ajm188 ajm188 mentioned this issue Oct 11, 2022
Merged
3 tasks
deepthi pushed a commit to vitessio/vitess that referenced this issue Oct 11, 2022
@ajm188
[deps] go get golang.org/x/text && go mod tidy (#11466)
6beff61 
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>

Signed-off-by: Andrew Mason <andrew@planetscale.com>
vitess-bot bot pushed a commit to vitessio/vitess that referenced this issue Oct 11, 2022
@ajm188
[deps] go get golang.org/x/text && go mod tidy
d7cad2d 
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>
frouioui pushed a commit to vitessio/vitess that referenced this issue Oct 12, 2022
@vitess-bot @ajm188
[deps] go get golang.org/x/text && go mod tidy (#11467)
5836995 
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>

Signed-off-by: Andrew Mason <andrew@planetscale.com>
Co-authored-by: Andrew Mason <andrew@planetscale.com>
@crbednarz crbednarz mentioned this issue Oct 12, 2022
Merged
3 tasks
@SaschaSchwarze0 SaschaSchwarze0 mentioned this issue Oct 13, 2022
Merged
4 tasks
@ldemailly ldemailly mentioned this issue Oct 13, 2022
Merged
bbguimaraes added a commit to bbguimaraes/ci-tools that referenced this issue Oct 14, 2022
@bbguimaraes
Require golang.org/x/text >= v0.3.8
67dda8e 
golang/go#56152 causes our `snyk-deps` pre-submit job
to complain:

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_ci-tools/3088/pull-ci-openshift-release-snyk-deps/1580892349003730944

Require a newer version of `golang.org/x/text` by:

- adding `golang.org/x/text v0.3.8` to the `require` section of `go.mod`
- `go mod tidy && go mod vendor && git add go.* vendor/ && git commit`
@bbguimaraes bbguimaraes mentioned this issue Oct 14, 2022
Merged
@mehta-ankit mehta-ankit mentioned this issue Oct 21, 2022
Merged
r10r added a commit to r10r/zoekt that referenced this issue Oct 26, 2022
@r10r
upgrade golang.org/x/text module
da83834 
This upgrades the golang.org/x/text module to mitigate CVE-2022-32149.
The vulnerability was reported by the Trivy scanner.

See also

https://nvd.nist.gov/vuln/detail/CVE-2022-32149
golang/go#56152
@r10r r10r mentioned this issue Oct 26, 2022
Merged
keegancsmith pushed a commit to sourcegraph/zoekt that referenced this issue Oct 27, 2022
@r10r
upgrade golang.org/x/text module (#455)
b87f8e5 
This upgrades the golang.org/x/text module to mitigate CVE-2022-32149.
The vulnerability was reported by the Trivy scanner.

See also

https://nvd.nist.gov/vuln/detail/CVE-2022-32149
golang/go#56152
@tzimmermann tzimmermann mentioned this issue Nov 28, 2022
Closed
renuka-fernando added a commit to renuka-fernando/ratelimit that referenced this issue Dec 9, 2022
@renuka-fernando
Upgrade golang.org/x/text to 0.3.8
4045d36 
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
@renuka-fernando renuka-fernando mentioned this issue Dec 9, 2022
Merged
mattklein123 pushed a commit to envoyproxy/ratelimit that referenced this issue Dec 12, 2022
@renuka-fernando
Upgrade golang.org/x/text to 0.3.8 (#382)
5e9a43f 
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
@rainerleber rainerleber mentioned this issue Jan 12, 2023
Merged
@SaurabhAhuja1983 SaurabhAhuja1983 mentioned this issue Jan 18, 2023
Closed
@cx-tatianab cx-tatianab mentioned this issue Feb 7, 2023
Open
@dorohayon dorohayon mentioned this issue Feb 7, 2023
Open
zebox added a commit to zebox/registry-admin that referenced this issue Feb 25, 2023
@zebox
fixed CVE-2022-32149
238400c 
Denial of service in golang.org/x/text/language
golang/go#56152
@Yoavast Yoavast mentioned this issue Feb 27, 2023
Open
@diogopcx diogopcx mentioned this issue Jun 27, 2023
Open
@maariitsme
Copy link

maariitsme commented Jul 24, 2023
edited

Hi Team
@rolandshoemaker @gopherbot @dmitshur @evanphx
It is patched in which golang version?

@ianlancetaylor
Copy link
Contributor

This was fixed in the golang.org/x/text repository. It's not in any particular Go release. I think the first revision of golang.org/x/text with the fix is v0.4.0.

@apcxtest apcxtest mentioned this issue Aug 17, 2023
Closed
barroca pushed a commit to barroca/ratelimit that referenced this issue Sep 1, 2023
@renuka-fernando @barroca
Upgrade golang.org/x/text to 0.3.8 (envoyproxy#382)
184adf8 
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
This was referenced Oct 16, 2023
Closed
Open
Open
timcovar pushed a commit to goatapp/ratelimit that referenced this issue Jan 16, 2024
@renuka-fernando @timcovar
Upgrade golang.org/x/text to 0.3.8 (envoyproxy#382)
dba9deb 
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
@ChrisZhangJin
Copy link

ChrisZhangJin commented Apr 3, 2024
edited

yes, it is fixed in golang.org/x/text repository, and it is not in any particular Go release. but there is reference relationship between the go version and x/text version.

when i run go mod graph in the src of go(any version), i can see the dependencies like this

go mod graph | grep text

std golang.org/x/text@v0.11.0
golang.org/x/crypto@v0.11.1-0.20230711161743-2e82bdd1719d golang.org/x/text@v0.11.0
golang.org/x/net@v0.12.1-0.20231027154334-5ca955b1789c golang.org/x/text@v0.11.0
golang.org/x/text@v0.11.0 golang.org/x/tools@v0.6.0
golang.org/x/text@v0.11.0 golang.org/x/mod@v0.8.0
golang.org/x/text@v0.11.0 golang.org/x/sys@v0.5.0

the text version was referred in the source code, i think. even if i upgrade the version of the x/text, how can i handle this part?

@neild
Copy link
Contributor

neild commented Apr 3, 2024

Nothing in the Go standard library uses this function, so no versions of Go itself are affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
7 participants
@neild @dmitshur @ianlancetaylor @rolandshoemaker @gopherbot @ChrisZhangJin @maariitsme