Vulnerability in golang.org/x/text v0.3.0

[alanbernstein]

From https://nvd.nist.gov/vuln/detail/CVE-2020-14040:

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

While trying to resolve this in my own project, I found that jwx requires this vulnerable version of golang.org/x/text. Can this dependency be updated to a newer version here? I started working on a branch, but I'm not actually sure how to pin a transitive dependency.

It looks like there is a similar issue with the golang.org/x/crypto package: https://nvd.nist.gov/vuln/detail/CVE-2020-29652. This requires v0.0.0-20201203163018-be400aefbc4c or later.

[lestrrat]

Seems like it's golang.org/x/crypto

% go mod graph | grep text
golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3 golang.org/x/text@v0.3.0

EDIT: I realize I posted about golang.org/x/net above, but it boils down to golang.og/x/crypto. Sorry for the confusion

[lestrrat]

@alanbernstein Thanks for the heads up!