ALAS-2020-1436


Amazon Linux 1 Security Advisory: ALAS-2020-1436
Advisory Release Date: 2020-10-26 18:04 Pacific
Advisory Updated Date: 2020-10-27 23:38 Pacific
Severity: Medium

Issue Overview:

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service. (CVE-2020-14040)

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. (CVE-2020-16845)


Affected Packages:

golang


Issue Correction:
Run yum update golang to update your system.

New Packages:
i686:
    golang-1.13.15-1.59.amzn1.i686
    golang-bin-1.13.15-1.59.amzn1.i686

noarch:
    golang-docs-1.13.15-1.59.amzn1.noarch
    golang-tests-1.13.15-1.59.amzn1.noarch
    golang-misc-1.13.15-1.59.amzn1.noarch
    golang-src-1.13.15-1.59.amzn1.noarch

src:
    golang-1.13.15-1.59.amzn1.src

x86_64:
    golang-bin-1.13.15-1.59.amzn1.x86_64
    golang-1.13.15-1.59.amzn1.x86_64
    golang-race-1.13.15-1.59.amzn1.x86_64