github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
Description
Published by the National Vulnerability Database
Apr 28, 2021
Reviewed
May 24, 2021
Published to the GitHub Advisory Database
May 25, 2021
Last updated
May 31, 2024
Impact
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.
Patches
The problem has been fixed in release v0.5.8.
Workarounds
Limit the size of the compressed file input to a reasonable size for your use case.
References
The standard library had recently the same issue and got the CVE-2020-16845 allocated.
For more information
If you have any questions or comments about this advisory:
References