[security] Vulnerability in golang.org/x/text/encoding/unicode v0.3.2

Hello gophers, Version v0.3.3 of golang.org/x/text fixes a vulnerability in the golang.org/x/text/encoding/unicode package which could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. transform.String has also been hardened not to enter an infinite loop if a Transformer keeps returning ErrShortSrc even if atEOF is true. This issue was first filed as Issue 39491 by GitHub user abacabadabacaba and reported to the security team by Anton Gyllenberg. It is tracked as CVE-2020-14040. Cheers, Katie for the Go team Kubernetes-commit: 3cef97e8b5f67b4a350ee7a51e68604732e46f58
2025-01-19 16:12:52 +08:00 · 2020-06-17 07:57:05 -04:00 · 2020-06-17 07:57:05 -04:00 · c21e531b4a
commit c21e531b4a
parent 30f91c5735
2 changed files with 11 additions and 12 deletions
--- a/go.mod
+++ b/go.mod
@ -5,18 +5,19 @@ module k8s.io/sample-controller
 go 1.13

 require (
-	k8s.io/api v0.0.0-20200617090426-8a7a6938a421
-	k8s.io/apimachinery v0.0.0-20200618091750-6e0343cc28d1
-	k8s.io/client-go v0.0.0-20200618092151-3ab27431ef50
-	k8s.io/code-generator v0.0.0-20200618091610-c06e59e67ce8
+	k8s.io/api v0.0.0
+	k8s.io/apimachinery v0.0.0
+	k8s.io/client-go v0.0.0
+	k8s.io/code-generator v0.0.0
 	k8s.io/klog/v2 v2.1.0
 )

 replace (
 	golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // pinned to release-branch.go1.13
 	golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // pinned to release-branch.go1.13
-	k8s.io/api => k8s.io/api v0.0.0-20200617090426-8a7a6938a421
-	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200618091750-6e0343cc28d1
-	k8s.io/client-go => k8s.io/client-go v0.0.0-20200618092151-3ab27431ef50
-	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20200618091610-c06e59e67ce8
+	k8s.io/api => ../api
+	k8s.io/apimachinery => ../apimachinery
+	k8s.io/client-go => ../client-go
+	k8s.io/code-generator => ../code-generator
+	k8s.io/sample-controller => ../sample-controller
 )
--- a/go.sum
+++ b/go.sum
@ -236,6 +236,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
@ -297,10 +299,6 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.0.0-20200617090426-8a7a6938a421/go.mod h1:kD7EG+Wyq5Fu0MAEBkXyQVnnjyj/ChS5/vewKVRDaYI=
-k8s.io/apimachinery v0.0.0-20200618091750-6e0343cc28d1/go.mod h1:OO1oUmqmYEvK9/2GigG7tpElec1NAKGniAPppy1PJGA=
-k8s.io/client-go v0.0.0-20200618092151-3ab27431ef50/go.mod h1:bOoihAsKle+a9FgufU/ghgSzgvF7xJ/su3zwy/pfK3c=
-k8s.io/code-generator v0.0.0-20200618091610-c06e59e67ce8/go.mod h1:6NiFnMML+4VaG+kHKew+dc+SBC3Q+5NTNQIHdJJbG3w=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14 h1:t4L10Qfx/p7ASH3gXCdIUtPbbIuegCoUJf3TMSFekjw=
 k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=