Missing CVE-2020-14040 for golang.org/x/text

[SVilgelm]

Advisory details

  URL: https://nvd.nist.gov/vuln/detail/CVE-2020-14040
  format: go
  namespace: golang.org/x/text
  name: text
  versions: <v0.3.3

More information
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

[SVilgelm]

Hi @ken-duck,
how is it possible that the Sonatype index does not contain this CVE? It was published almost two month ago.

[ken-duck]

The free OSS Index service is provided on a best effort basis with its own dedicated research team. Due to the complexity of tracking all ecosystems and GitHub issues that our researchers trawl through to find new vulnerabilities, occasionally things fall through the cracks, particularly when things like NVD do not necessarily provide precise identifiers. We are continually working to improve the automation of the system, but we depend on our users of the free service to help us keep track of issues that may otherwise have been missed. Thanks helping make OSS Index better!

[ken-duck]

Incidentally, you should see this CVE show up in public results sometime tomorrow, all going well.

[SVilgelm]

@ken-duck thanks you so much, I thought it works somehow automagically :)

[ken-duck]

No problem. :)

It works semi-automatically, and we are continually working on improving that automation, but there will likely always be a human element.

[ken-duck]

CLosing old issues. Verification that this issue is in the DB: https://ossindex.sonatype.org/vuln/3d737bfb-fa67-4614-92cc-13e44f997639?component-type=golang&component-name=golang.org/x/text/text