Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/text/language: ParseAcceptLanguage takes a long time to parse complex tags #56152

Closed
rolandshoemaker opened this issue Oct 11, 2022 · 5 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Oct 11, 2022

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers.

This is a PRIVATE issue for CVE-2022-32149, tracked in http://b/238189978 and fixed by http://tg/1565112

/cc @golang/security

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/442235 mentions this issue: language: reject excessively large Accept-Language strings

@rolandshoemaker rolandshoemaker changed the title security: fix CVE-2022-32149 x/text/language: ParseAcceptLanguage takes a long time to parse complex tags Oct 11, 2022
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 11, 2022
@dmitshur dmitshur added this to the Unreleased milestone Oct 11, 2022
ajm188 pushed a commit to planetscale/vitess that referenced this issue Oct 11, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>
deepthi pushed a commit to vitessio/vitess that referenced this issue Oct 11, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>

Signed-off-by: Andrew Mason <andrew@planetscale.com>
vitess-bot bot pushed a commit to vitessio/vitess that referenced this issue Oct 11, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>
frouioui pushed a commit to vitessio/vitess that referenced this issue Oct 12, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>

Signed-off-by: Andrew Mason <andrew@planetscale.com>
Co-authored-by: Andrew Mason <andrew@planetscale.com>
bbguimaraes added a commit to bbguimaraes/ci-tools that referenced this issue Oct 14, 2022
golang/go#56152 causes our `snyk-deps` pre-submit job
to complain:

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_ci-tools/3088/pull-ci-openshift-release-snyk-deps/1580892349003730944

Require a newer version of `golang.org/x/text` by:

- adding `golang.org/x/text v0.3.8` to the `require` section of `go.mod`
- `go mod tidy && go mod vendor && git add go.* vendor/ && git commit`
r10r added a commit to r10r/zoekt that referenced this issue Oct 26, 2022
This upgrades the golang.org/x/text module to mitigate CVE-2022-32149.
The vulnerability was reported by the Trivy scanner.

See also

https://nvd.nist.gov/vuln/detail/CVE-2022-32149
golang/go#56152
keegancsmith pushed a commit to sourcegraph/zoekt that referenced this issue Oct 27, 2022
This upgrades the golang.org/x/text module to mitigate CVE-2022-32149.
The vulnerability was reported by the Trivy scanner.

See also

https://nvd.nist.gov/vuln/detail/CVE-2022-32149
golang/go#56152
renuka-fernando added a commit to renuka-fernando/ratelimit that referenced this issue Dec 9, 2022
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
mattklein123 pushed a commit to envoyproxy/ratelimit that referenced this issue Dec 12, 2022
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
zebox added a commit to zebox/registry-admin that referenced this issue Feb 25, 2023
Denial of service in golang.org/x/text/language
golang/go#56152
@maariitsme
Copy link

maariitsme commented Jul 24, 2023

Hi Team
@rolandshoemaker @gopherbot @dmitshur @evanphx
It is patched in which golang version?

@ianlancetaylor
Copy link
Contributor

This was fixed in the golang.org/x/text repository. It's not in any particular Go release. I think the first revision of golang.org/x/text with the fix is v0.4.0.

barroca pushed a commit to barroca/ratelimit that referenced this issue Sep 1, 2023
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
timcovar pushed a commit to goatapp/ratelimit that referenced this issue Jan 16, 2024
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
@ChrisZhangJin
Copy link

ChrisZhangJin commented Apr 3, 2024

yes, it is fixed in golang.org/x/text repository, and it is not in any particular Go release. but there is reference relationship between the go version and x/text version.

when i run go mod graph in the src of go(any version), i can see the dependencies like this

go mod graph | grep text

std golang.org/x/text@v0.11.0
golang.org/x/crypto@v0.11.1-0.20230711161743-2e82bdd1719d golang.org/x/text@v0.11.0
golang.org/x/net@v0.12.1-0.20231027154334-5ca955b1789c golang.org/x/text@v0.11.0
golang.org/x/text@v0.11.0 golang.org/x/tools@v0.6.0
golang.org/x/text@v0.11.0 golang.org/x/mod@v0.8.0
golang.org/x/text@v0.11.0 golang.org/x/sys@v0.5.0

the text version was referred in the source code, i think. even if i upgrade the version of the x/text, how can i handle this part?

@neild
Copy link
Contributor

neild commented Apr 3, 2024

Nothing in the Go standard library uses this function, so no versions of Go itself are affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Development

No branches or pull requests

7 participants