Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issues with golang.org/x/text and golang.org/x/crypto #1566

Closed
sunny0826 opened this issue Dec 17, 2021 · 5 comments
Closed

Security Issues with golang.org/x/text and golang.org/x/crypto #1566

sunny0826 opened this issue Dec 17, 2021 · 5 comments
Milestone
Next

Comments

@sunny0826
Copy link

Just like spf13/viper#1176, older versions of golang.org/x/crypto and golang.org/x/text have security issues reported by CVE with proof of concept attacks.

Gemnasium reported these two security issues, which I found in a GItLab Dependencies Security scan.

Details

Loop with Unreachable Exit Condition (Infinite Loop) in golang.org/x/text

Description

The x/text package for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Severity: High
Tool: Dependency Scanning
Scanner: Gemnasium

Location

File: go.sum

Links

Identifiers

Solution

Upgrade to version 0.3.3 or above.

Nil Pointer Dereference in golang.org/x/crypto

Description

A nil pointer dereference in the golang.org/x/crypto/ssh component enables remote attackers to cause a DoS against SSH servers.

Severity: High
Tool: Dependency Scanning
Scanner: Gemnasium

Location

File: go.sum

Links

Identifiers

Solution

Upgrade to version v0.0.0-20201216223049-8b5274cf687f or above.

image
@sunny0826
Copy link
Author

Scanned for the cobra project master branch and the latest version 1.3.0

@jpmcb
Copy link
Collaborator

jpmcb commented Dec 21, 2021

These are both low severity for cobra and "indirect" security problems since we are importing viper:

➜ go mod why golang.org/x/crypto
# golang.org/x/crypto
(main module does not need package golang.org/x/crypto)

➜ go mod why golang.org/x/test
# golang.org/x/test
(main module does not need package golang.org/x/test)

Regardless, this should have been addressed in #1567 since viper has bumped it's dependency. We'll cut a winter release shortly and get this out soon.

@jpmcb jpmcb added this to the Next milestone Dec 21, 2021
@github-actions
Copy link

This issue is being marked as stale due to a long period of inactivity

@johnSchnake
Copy link
Collaborator

So viper dependencies were removed with cobra-cli being extracted, correct? And we've had a new release anyways which the above comment says would have upgraded viper appropriately anyways.

Going to let @jpmcb close this since its a security issue but I think this is completed now.

@jpmcb
Copy link
Collaborator

jpmcb commented Mar 25, 2022

So viper dependencies were removed with cobra-cli being extracted, correct? And we've had a new release anyways which the above comment says would have upgraded viper appropriately anyways.

Correct - this can be closed

@jpmcb jpmcb closed this as completed Mar 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Next
Development

No branches or pull requests
3 participants
@johnSchnake @jpmcb @sunny0826