apparentlymart
commented
2 years ago Hi @ybocalandro! Thanks for reporting this, and submitting the PR.
I don't believe that cty is using any of the functions you indicated here itself, since we use that module exclusively for its unicode/norm sub-package and not for any of the language-related functionality. And also, any application using this library is free to upgrade its own dependency on golang.org/x/text if there are application-level concerns about including the vulnerable module.
For that reason, I'm going to merge this as a non-urgent "good hygiene" update now, but I will wait before releasing it and hold for the next "normal" release, which will come either when I next have some time to process the issue/PR queue or when there's a particular downstream demand for something that hasn't been released yet.
Thanks again!
ybocalandro
Request to update text library to non-vulnerable version v0.3.7. CVE-2021-38561
Description from CVE golang-x-text - Out-of-bounds Read Explanation The golang.org/x/text package is vulnerable due to an Out-of-bounds Read. The files and functions listed below do not properly handle index calculations when parsing formatted language tags. A remote attacker can exploit this behavior by supplying a specially-crafted language tag to trigger a panic, causing an application crash and ultimately a Denial of Service (DoS) condition.
Vulnerable File(s) and Function(s):
internal/language/language.go
ParseExtension() ParseBase() ParseScript() ParseRegion() ParseVariant() internal/language/parse.go
Parse() language/parse.go
Parse() Compose() ParseAcceptLanguage()