You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to resolve a vulnerability with golang.org/x/text, in my project, by eliminating the offending version from my go.sum file (as required by a security scan tool). To understand the reason that I have this transitive dependency, I experimented with removing that go.sum line manually, then running golangci-lint, which showed me this:
$ golangci-lint run
ERRO Running error: context loading failed: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: github.com/rs/zerolog@v1.26.1 requires
golang.org/x/tools@v0.1.7 requires
golang.org/x/mod@v0.4.2 requires
golang.org/x/crypto@v0.0.0-20191011191535-87dc89f01550 requires
golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3 requires
golang.org/x/text@v0.3.0: missing go.sum entry; to add it:
go mod download golang.org/x/text
go: github.com/rs/zerolog@v1.26.1 requires
golang.org/x/tools@v0.1.7 requires
golang.org/x/mod@v0.4.2 requires
golang.org/x/crypto@v0.0.0-20191011191535-87dc89f01550 requires
golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3 requires
golang.org/x/text@v0.3.0: missing go.sum entry; to add it:
go mod download golang.org/x/text
I'm not too familiar with how the go mod system reports or manages these golang.org/x transitive dependencies, but in case this is accurate, I wanted to report this vulnerability in zerolog. I'm happy to help resolve this, with some advice.
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
There is a similar issue with the golang.org/x/crypto package: https://nvd.nist.gov/vuln/detail/CVE-2020-29652. This requires v0.0.0-20201203163018-be400aefbc4c or later. Resolving this one may cover the golang.org/x/text one.
(Also, thanks for the great library)
The text was updated successfully, but these errors were encountered:
I'm trying to resolve a vulnerability with golang.org/x/text, in my project, by eliminating the offending version from my go.sum file (as required by a security scan tool). To understand the reason that I have this transitive dependency, I experimented with removing that go.sum line manually, then running golangci-lint, which showed me this:
I'm not too familiar with how the go mod system reports or manages these golang.org/x transitive dependencies, but in case this is accurate, I wanted to report this vulnerability in zerolog. I'm happy to help resolve this, with some advice.
From https://nvd.nist.gov/vuln/detail/CVE-2020-14040:
There is a similar issue with the golang.org/x/crypto package: https://nvd.nist.gov/vuln/detail/CVE-2020-29652. This requires v0.0.0-20201203163018-be400aefbc4c or later. Resolving this one may cover the golang.org/x/text one.
(Also, thanks for the great library)
The text was updated successfully, but these errors were encountered: