Medium: golang

Issue Overview:

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service. (CVE-2020-14040)

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. (CVE-2020-16845)

Affected Packages:

golang

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update golang to update your system.

New Packages:

aarch64:  
    golang-1.13.15-1.amzn2.0.1.aarch64  
    golang-bin-1.13.15-1.amzn2.0.1.aarch64  
  
noarch:  
    golang-docs-1.13.15-1.amzn2.0.1.noarch  
    golang-misc-1.13.15-1.amzn2.0.1.noarch  
    golang-tests-1.13.15-1.amzn2.0.1.noarch  
    golang-src-1.13.15-1.amzn2.0.1.noarch  
  
src:  
    golang-1.13.15-1.amzn2.0.1.src  
  
x86_64:  
    golang-1.13.15-1.amzn2.0.1.x86_64  
    golang-bin-1.13.15-1.amzn2.0.1.x86_64  
    golang-race-1.13.15-1.amzn2.0.1.x86_64  

Additional References

Red Hat: CVE-2020-14040, CVE-2020-16845

Mitre: CVE-2020-14040, CVE-2020-16845