Bug#964272: marked as done (golang-golang-x-text: CVE-2020-14040)

[Debian Bug Tracking System]

Your message dated Sun, 12 Jul 2020 07:03:28 +0000
with message-id <e1juw1i-0002o0...@fasolo.debian.org>
and subject line Bug#964272: fixed in golang-golang-x-text 0.3.3-1
has caused the Debian Bug report #964272,
regarding golang-golang-x-text: CVE-2020-14040
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964272
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-x-text
Version: 0.3.2-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/39491
Control: clone -1 -2
Control: reassign -2 src:golang-golang-x-text 0.3.2-4
Control: retitle -2 golang-golang-x-text: CVE-2020-14040


Hi,

The following vulnerability was published for golang-x-text and
golang-golang-x-text.

CVE-2020-14040[0]:
| Go version v0.3.3 of the x/text package fixes a vulnerability in
| encoding/unicode that could lead to the UTF-16 decoder entering an
| infinite loop, causing the program to crash or run out of memory. An
| attacker could provide a single byte to a UTF16 decoder instantiated
| with UseBOM or ExpectBOM to trigger an infinite loop if the String
| function on the Decoder is called, or the Decoder is passed to
| golang.org/x/text/transform.String.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-14040
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040
[1] https://github.com/golang/go/issues/39491
[2] https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
[3] https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-golang-x-text
Source-Version: 0.3.3-1
Done: Shengjing Zhu <z...@debian.org>

We believe that the bug you reported is fixed in the latest version of
golang-golang-x-text, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 964...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Shengjing Zhu <z...@debian.org> (supplier of updated golang-golang-x-text 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 12 Jul 2020 14:52:43 +0800
Source: golang-golang-x-text
Architecture: source
Version: 0.3.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Shengjing Zhu <z...@debian.org>
Closes: 964272
Changes:
 golang-golang-x-text (0.3.3-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream release v0.3.3 (Closes: #964272, CVE-2020-14040)
   * Bump debhelper-compat to 13
Checksums-Sha1:
 d0ee533db6e78c2f7983dbd99e528b0d9b299bad 1617 golang-golang-x-text_0.3.3-1.dsc
 3a4edde4a116dcabcd8879fe5af41cde22568db3 7747332 
golang-golang-x-text_0.3.3.orig.tar.gz
 06d45891695cce37d62925bb79b24b458132bbc6 5700 
golang-golang-x-text_0.3.3-1.debian.tar.xz
 9ad2b6e0d3254dfb39b348cf0656a08f66760a12 5105 
golang-golang-x-text_0.3.3-1_amd64.buildinfo
Checksums-Sha256:
 50be0fcea8ebd4c5b96a4608212aee4489c1a02c6eff087e3c89251e6bcc538a 1617 
golang-golang-x-text_0.3.3-1.dsc
 1604233637e3593749fbbb13b5069b08e6feba6d2b55a02fd3148793d5871185 7747332 
golang-golang-x-text_0.3.3.orig.tar.gz
 0582d79ef22929f9f69a3ddf65af4ff92061b2eb12c79c646711f05db0f409e9 5700 
golang-golang-x-text_0.3.3-1.debian.tar.xz
 d676e88cf8cd47f0efbbbf152d266348846f1889948a50afadf4f23410f3eeef 5105 
golang-golang-x-text_0.3.3-1_amd64.buildinfo
Files:
 ee6d69f9d3542c8419bdc6e33ee3e342 1617 devel optional 
golang-golang-x-text_0.3.3-1.dsc
 76bcc74322263ba83deca2bb17c85c7f 7747332 devel optional 
golang-golang-x-text_0.3.3.orig.tar.gz
 5d9c851e7edb6ac9876e55e7e9e571c6 5700 devel optional 
golang-golang-x-text_0.3.3-1.debian.tar.xz
 0ffaa0470c084fb070dc76fdf8e064e5 5105 devel optional 
golang-golang-x-text_0.3.3-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iIYEARYIAC4WIQTiXc95jUQrjt9HgU3EhUo4GOCwFgUCXwq0JxAcemhzakBkZWJp
YW4ub3JnAAoJEMSFSjgY4LAWDwEBAPb4X6e6krh14cO0mKl0jSoZdH5V117YctLr
TnBvuXYfAP94JggKdctZ8gB1Q0+qII9vddPy24f1K9av7oXO4OMmAw==
=n2P+
-----END PGP SIGNATURE-----

--- End Message ---