[GODRIVER-2763] CVE-2022-32149 in golang.org/x/text Created: 27/Feb/23  Updated: 28/Oct/23  Resolved: 01/Mar/23

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.12.0

Type: Task Priority: Major - P3
Reporter: Matt Dale Assignee: Matt Dale
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation Changes: Not Needed
Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

Discovered from Github Dependabot alert: https://github.com/mongodb/mongo-go-driver/security/dependabot/3

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

Definition of done:

  • Update golang.org/x/text dependency version to >= 0.3.8


 Comments   
Comment by Githook User [ 01/Mar/23 ]

Author:

{'name': 'Matt Dale', 'email': '9760375+matthewdale@users.noreply.github.com', 'username': 'matthewdale'}

Message: GODRIVER-2763 Update golang.org/x/text to v0.7.0 (#1195)
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/1bfbd5792b90c0cf00abc4eb92ed5bc30aaa4f8c

Comment by Matt Dale [ 27/Feb/23 ]

PR: https://github.com/mongodb/mongo-go-driver/pull/1195

Generated at Thu Feb 08 08:39:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.