Question 1

Is there a bug in golang.org/x/text?

Accepted Answer

golang.org/x/text/language Out-of-bounds Read vulnerability golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. Fixed in golang.org/x/text 0.3.7.

Question 2

Is there a bug in golang.org/x/text?

Accepted Answer

golang.org/x/text/language Denial of service via crafted Accept-Language header The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

### Specific Go Packages Affected
golang.org/x/text/language Fixed in golang.org/x/text 0.3.8.

Question 3

Is there a bug in golang.org/x/text?

Accepted Answer

Denial of service via crafted Accept-Language header in golang.org/x/text/language An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Fixed in golang.org/x/text 0.3.8.

Question 4

Is there a bug in golang.org/x/text?

Accepted Answer

Out-of-bounds read in golang.org/x/text/language Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack. Fixed in golang.org/x/text 0.3.7.

Question 5

Is there a bug in golang.org/x/text?

Accepted Answer

Infinite loop when decoding some inputs in golang.org/x/text An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector. Fixed in golang.org/x/text 0.3.3.

Question 6

Is there a bug in golang.org/x/text?

Accepted Answer

golang.org/x/text Infinite loop Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

### Specific Go Packages Affected
golang.org/x/text/encoding/unicode
golang.org/x/text/transform Fixed in golang.org/x/text 0.3.3.

Severity	Affected	Fixed in	Title	Status	Source
high	any	0.3.7	golang.org/x/text/language Out-of-bounds Read vulnerability golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.	fixed	osv:GHSA-ppp9-7jff-5vj2
high	any	0.3.8	golang.org/x/text/language Denial of service via crafted Accept-Language header The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits. ### Specific Go Packages Affected golang.org/x/text/language	fixed	osv:GHSA-69ch-w2m2-3vjp
medium	any	0.3.8	Denial of service via crafted Accept-Language header in golang.org/x/text/language An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.	fixed	osv:GO-2022-1059
medium	any	0.3.7	Out-of-bounds read in golang.org/x/text/language Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.	fixed	osv:GO-2021-0113
medium	any	0.3.3	Infinite loop when decoding some inputs in golang.org/x/text An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.	fixed	osv:GO-2020-0015
medium	any	0.3.3	golang.org/x/text Infinite loop Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. ### Specific Go Packages Affected golang.org/x/text/encoding/unicode golang.org/x/text/transform	fixed	osv:GHSA-5rcv-m4m3-hfh7

golang.org/x/text known bugs