Closed ybocalandro closed 2 years ago
Hi @ybocalandro! Thanks for reporting this, and submitting the PR.
I don't believe that cty
is using any of the functions you indicated here itself, since we use that module exclusively for its unicode/norm
sub-package and not for any of the language-related functionality. And also, any application using this library is free to upgrade its own dependency on golang.org/x/text
if there are application-level concerns about including the vulnerable module.
For that reason, I'm going to merge this as a non-urgent "good hygiene" update now, but I will wait before releasing it and hold for the next "normal" release, which will come either when I next have some time to process the issue/PR queue or when there's a particular downstream demand for something that hasn't been released yet.
Thanks again!
Thanks @apparentlymart the driver for this change is a dependency on this other PR causing this build to fail.
Run go fmt ./... go: github.com/zclconf/go-cty@v1.8.4 requires golang.org/x/text@v0.3.5: missing go.sum entry; to add it: go mod download golang.org/x/text Error: Process completed with exit code 1.
Request to update text library to non-vulnerable version v0.3.7. CVE-2021-38561
Description from CVE golang-x-text - Out-of-bounds Read Explanation The golang.org/x/text package is vulnerable due to an Out-of-bounds Read. The files and functions listed below do not properly handle index calculations when parsing formatted language tags. A remote attacker can exploit this behavior by supplying a specially-crafted language tag to trigger a panic, causing an application crash and ultimately a Denial of Service (DoS) condition.
Vulnerable File(s) and Function(s):
internal/language/language.go
ParseExtension() ParseBase() ParseScript() ParseRegion() ParseVariant() internal/language/parse.go
Parse() language/parse.go
Parse() Compose() ParseAcceptLanguage()