Bug 1181049 (CVE-2020-28852)

Summary:	VUL-0: CVE-2020-28852: go1.15,go1.14: go: Panic in language.ParseAcceptLanguage while processing bcp47 tag
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Jeff Kowalczyk <jkowalczyk>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	abergmann, jkowalczyk, smash_bz, wolfgang.frisch
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/274460/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-28852:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Marcus Meissner 2021-01-18 09:53:13 UTC

In x/text in Go 1.15.4, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. x/text/language is supposed to be able to parse an HTTP Accept-Language header.

Upstream issue:

https://github.com/golang/go/issues/42536

Comment 1 Wolfgang Frisch 2021-01-20 09:58:55 UTC

Upstream fix:
https://go-review.googlesource.com/c/text/+/270697/

Additional references:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28852
https://nvd.nist.gov/vuln/detail/CVE-2020-28852
https://bugzilla.redhat.com/show_bug.cgi?id=1913338

Comment 2 Alexander Bergmann 2021-05-12 11:01:55 UTC

This issue is not directly about go, but about golang-org-x-text

https://github.com/CVEProject/cvelist/pull/855/commits/37dd7dae10d078a718f2bb6be5299bffab75ad0e

https://github.com/golang/text/releases/tag/v0.3.4

@Jeff, please verify.

Comment 3 Marcus Meissner 2021-06-02 12:55:10 UTC

i dont find the code in go1.15 sources at least, considering unaffected

Comment 4 Marcus Meissner 2022-12-05 15:18:34 UTC

not valid here