Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728510 (CVE-2020-14040) - [Tracker] Denial of service via malicious string (CVE-2020-14040)
Summary: [Tracker] Denial of service via malicious string (CVE-2020...
Alias: CVE-2020-14040
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2020-06-17 00:06 UTC by Sam James
Modified: 2021-01-28 03:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-06-17 00:06:11 UTC
"Hello gophers,

Version v0.3.3 of fixes a vulnerability in the package which could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory.

An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to

transform.String has also been hardened not to enter an infinite loop if a Transformer keeps returning ErrShortSrc even if atEOF is true.

This issue was first filed as Issue 39491 by GitHub user abacabadabacaba and reported to the security team by Anton Gyllenberg. It is tracked as CVE-2020-14040.

Katie for the Go team"
Comment 1 Sam James archtester gentoo-dev Security 2020-06-17 00:07:04 UTC
We need to see if any packages we carry bundle/vendor a vulnerable version of this package. We do not seem to have it directly in tree.
Comment 2 Sam James archtester gentoo-dev Security 2020-06-17 00:09:59 UTC
Advisory URL:!msg/golang-announce/bXVeAmGOqz0/Y_caUbuWAwAJ

Bug URL:

We can look at references on Github to that bug which should help us track some of these down.