go: x/text: panic in language.ParseAcceptLanguage while parsing -u- extension

What version of Go are you using (`go version`)?

$ go version
go version go1.15.4 linux/amd64

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (`go env`)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/sasha/.cache/go-build"
GOENV="/home/sasha/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/sasha/goenv/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/sasha/goenv"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build111267796=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.15.4 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.15.4
uname -sr: Linux 4.19.128-microsoft-standard
Distributor ID:	Kali
Description:	Kali GNU/Linux Rolling
Release:	2020.2
Codename:	kali-rolling
/lib/x86_64-linux-gnu/libc.so.6: GNU C Library (Debian GLIBC 2.31-3) stable release version 2.31.
gdb --version: GNU gdb (Debian 9.2-1) 9.2

What did you do?

https://play.golang.org/p/FCHj_rCBdiH

What did you expect to see?

Error via return value

What did you see instead?

panic: runtime error: index out of range [17] with length 14

goroutine 1 [running]:
golang.org/x/text/internal/language.Tag.findTypeForKey(0x202000000013e, 0xc00002c070, 0xe, 0x4d8c35, 0x2, 0x2d01104014010d0, 0x21127901ec11a0, 0x14e1470015e1424)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/internal/language/language.go:456 +0x366
golang.org/x/text/internal/language.Tag.TypeForKey(0x202000000013e, 0xc00002c070, 0xe, 0x4d8c35, 0x2, 0xe, 0x20)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/internal/language/language.go:307 +0x4d
golang.org/x/text/internal/language/compact.Make(0x202000000013e, 0xc00002c070, 0xe, 0xc00002c070, 0xe, 0x4fbf00)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/internal/language/compact/language.go:38 +0x65
golang.org/x/text/language.makeTag(...)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/language.go:25
golang.org/x/text/language.CanonType.Parse(0x17, 0x4da9c2, 0x10, 0x4da9c2, 0x10, 0x0, 0x0, 0x3fc0389239a6386c)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/parse.go:48 +0x145
golang.org/x/text/language.Parse(...)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/parse.go:34
golang.org/x/text/language.ParseAcceptLanguage(0x4da9c2, 0x10, 0xc000068f48, 0x442bca, 0x56ed40, 0xc000032778, 0xc000068f78, 0x405e25, 0xc00005e058, 0x0)
	/tmp/gopath829095260/pkg/mod/golang.org/x/text@v0.3.4/language/parse.go:154 +0x165
main.main()
	/tmp/sandbox226474929/prog.go:10 +0x3a

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 16 (5 by maintainers)

Commits related to this issue

rebase: update golang.org/x/text to 0.3.6 update text package to 0.3.6 to fix CVE CVE-2020-28851 more details at https://github.com/golang/go/issues/42535 and https://bugzilla.redhat.com/show_bug.cg... — committed to Madhu-1/ceph-csi by Madhu-1 3 years ago
language: allow variable number of types per key in -u- extension This also fixes CVE-2020-28851. This was an off-by one error, but is fixed by handling all cases according to the spec. These valid ... — committed to xhit/text by mpvl 3 years ago

Most upvoted comments

There is another urgent fix pending and will tag afterwards.

On Fri, Mar 26, 2021 at 12:06 RSAlderman @.***> wrote:

Any idea when the tagged v0.3.6 version https://github.com/golang/text/tags with the fix will be available?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/golang/go/issues/42535#issuecomment-808125405, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABRFSR6BGN6LTZHUFMVJAL3TFRTCPANCNFSM4TTEOOYA .

– Marcel van Lohuizen – Google Switzerland GmbH – Identifikationsnummer: CH-020.4.028.116-1

mpvl on Mar 26, 2021

I’m somewhat new to the Go community, but I have observed that with go1.16.2, when you run go get golang.org/x/text/language, it still pulls version v0.3.5 of this module instead of the newly-fixed 0.3.6. Can someone help me track when that would/will change? So far, I’ve been watching on https://golang.org/doc/devel/release.html#go1.16 and also https://github.com/golang/go/issues?q=milestone%3AGo1.16.2+label%3ACherryPickApproved as examples.

I should note: I’m aware I can change the version that is used in my go.mod, but my team uses countless Go components that would need to be checked for the existence of golang.org/x/text – it would be much much easier if the default version installed is the one mentioned by @dvasilen above.

benjsmi on Mar 18, 2021

@Jethzabell: submitted a fix.

mpvl on Feb 27, 2021