Version v0.3.3 of golang.org/x/text fixes a vulnerability in the golang.org/x/text/encoding/unicode package which could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory.
An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
transform.String has also been hardened not to enter an infinite loop if a Transformer keeps returning ErrShortSrc even if atEOF is true.
This issue was first filed as Issue 39491 by GitHub user abacabadabacaba and reported to the security team by Anton Gyllenberg. It is tracked as CVE-2020-14040.
Katie for the Go team"
We need to see if any packages we carry bundle/vendor a vulnerable version of this package. We do not seem to have it directly in tree.
Advisory URL: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/bXVeAmGOqz0/Y_caUbuWAwAJ
Bug URL: https://github.com/golang/go/issues/39491
We can look at references on Github to that bug which should help us track some of these down.