Upstream information
CVE-2020-14040 at MITRE
Description
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
CVSS v2 Scores
| CVSS detail | National Vulnerability Database |
|---|
| Base Score | 5 |
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
CVSS v3 Scores
| CVSS detail | National Vulnerability Database | SUSE |
|---|
| Base Score | 7.5 | 7.5 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | None | None |
| Integrity Impact | None | None |
| Availability Impact | High | High |
| CVSSv3 Version | 3.1 | 3.1 |
SUSE Bugzilla entry:
1174397 [RESOLVED / INVALID]
No SUSE Security Announcements cross referenced.
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
| SUSE Liberty Linux 8 | buildah >= 1.15.1-2.module+el8.3.0+8221+97165c3fbuildah-tests >= 1.15.1-2.module+el8.3.0+8221+97165c3fcockpit-podman >= 18.1-2.module+el8.3.0+8221+97165c3fconmon >= 2.0.20-2.module+el8.3.0+8221+97165c3fcontainer-selinux >= 2.144.0-1.module+el8.3.0+8221+97165c3fcontainernetworking-plugins >= 0.8.6-2.module+el8.3.0+8221+97165c3fcontainers-common >= 1.1.1-3.module+el8.3.0+8221+97165c3fcrit >= 3.14-2.module+el8.3.0+8221+97165c3fcriu >= 3.14-2.module+el8.3.0+8221+97165c3fcrun >= 0.14.1-2.module+el8.3.0+8221+97165c3fdelve >= 1.3.2-3.module+el8.2.0+5581+896cb53efuse-overlayfs >= 1.1.2-3.module+el8.3.0+8221+97165c3fgo-toolset >= 1.13.15-1.module+el8.2.0+7662+fa98b974golang >= 1.13.15-1.module+el8.2.0+7662+fa98b974golang-bin >= 1.13.15-1.module+el8.2.0+7662+fa98b974golang-docs >= 1.13.15-1.module+el8.2.0+7662+fa98b974golang-misc >= 1.13.15-1.module+el8.2.0+7662+fa98b974golang-race >= 1.13.15-1.module+el8.2.0+7662+fa98b974golang-src >= 1.13.15-1.module+el8.2.0+7662+fa98b974golang-tests >= 1.13.15-1.module+el8.2.0+7662+fa98b974libslirp >= 4.3.1-1.module+el8.3.0+8221+97165c3flibslirp-devel >= 4.3.1-1.module+el8.3.0+8221+97165c3foci-seccomp-bpf-hook >= 1.1.2-3.module+el8.3.0+8221+97165c3fpodman >= 2.0.5-5.module+el8.3.0+8221+97165c3fpodman-catatonit >= 2.0.5-5.module+el8.3.0+8221+97165c3fpodman-docker >= 2.0.5-5.module+el8.3.0+8221+97165c3fpodman-remote >= 2.0.5-5.module+el8.3.0+8221+97165c3fpodman-tests >= 2.0.5-5.module+el8.3.0+8221+97165c3fpython-podman-api >= 1.2.0-0.2.gitd0a45fe.module+el8.3.0+8221+97165c3fpython3-criu >= 3.14-2.module+el8.3.0+8221+97165c3frunc >= 1.0.0-68.rc92.module+el8.3.0+8221+97165c3fskopeo >= 1.1.1-3.module+el8.3.0+8221+97165c3fskopeo-tests >= 1.1.1-3.module+el8.3.0+8221+97165c3fslirp4netns >= 1.1.4-2.module+el8.3.0+8221+97165c3ftoolbox >= 0.0.8-1.module+el8.3.0+8221+97165c3fudica >= 0.2.2-1.module+el8.3.0+8221+97165c3f
| Patchnames:
RHSA-2020:3665
RHSA-2020:4694 |
SUSE Timeline for this CVE
CVE page created: Thu Jun 18 04:12:28 2020
CVE page last modified: Mon Oct 6 19:25:33 2025
