Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/text/language: ParseAcceptLanguage takes a long time to parse complex tags #56152

Closed
rolandshoemaker opened this issue Oct 11, 2022 · 1 comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Oct 11, 2022

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers.

This is a PRIVATE issue for CVE-2022-32149, tracked in http://b/238189978 and fixed by http://tg/1565112

/cc @golang/security

@gopherbot
Copy link

Change https://go.dev/cl/442235 mentions this issue: language: reject excessively large Accept-Language strings

@rolandshoemaker rolandshoemaker changed the title security: fix CVE-2022-32149 x/text/language: ParseAcceptLanguage takes a long time to parse complex tags Oct 11, 2022
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 11, 2022
@dmitshur dmitshur added this to the Unreleased milestone Oct 11, 2022
ajm188 added a commit to planetscale/vitess that referenced this issue Oct 11, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>
deepthi pushed a commit to vitessio/vitess that referenced this issue Oct 11, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>

Signed-off-by: Andrew Mason <andrew@planetscale.com>
vitess-bot bot pushed a commit to vitessio/vitess that referenced this issue Oct 11, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>
frouioui pushed a commit to vitessio/vitess that referenced this issue Oct 12, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>

Signed-off-by: Andrew Mason <andrew@planetscale.com>
Co-authored-by: Andrew Mason <andrew@planetscale.com>
bbguimaraes added a commit to bbguimaraes/ci-tools that referenced this issue Oct 14, 2022
golang/go#56152 causes our `snyk-deps` pre-submit job
to complain:

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_ci-tools/3088/pull-ci-openshift-release-snyk-deps/1580892349003730944

Require a newer version of `golang.org/x/text` by:

- adding `golang.org/x/text v0.3.8` to the `require` section of `go.mod`
- `go mod tidy && go mod vendor && git add go.* vendor/ && git commit`
maxenglander pushed a commit to maxenglander/vitess that referenced this issue Oct 20, 2022
This is to pick up the fix for golang/go#56152.

Signed-off-by: Andrew Mason <andrew@planetscale.com>

Signed-off-by: Andrew Mason <andrew@planetscale.com>
r10r added a commit to r10r/zoekt that referenced this issue Oct 26, 2022
This upgrades the golang.org/x/text module to mitigate CVE-2022-32149.
The vulnerability was reported by the Trivy scanner.

See also

https://nvd.nist.gov/vuln/detail/CVE-2022-32149
golang/go#56152
keegancsmith pushed a commit to sourcegraph/zoekt that referenced this issue Oct 27, 2022
This upgrades the golang.org/x/text module to mitigate CVE-2022-32149.
The vulnerability was reported by the Trivy scanner.

See also

https://nvd.nist.gov/vuln/detail/CVE-2022-32149
golang/go#56152
renuka-fernando added a commit to renuka-fernando/ratelimit that referenced this issue Dec 9, 2022
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
mattklein123 pushed a commit to envoyproxy/ratelimit that referenced this issue Dec 12, 2022
Ref: golang/go#56152

Signed-off-by: Renuka Fernando <renukapiyumal@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Development

No branches or pull requests

3 participants