GHSA-25xm-hr59-7c27

Source

https://github.com/advisories/GHSA-25xm-hr59-7c27

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-25xm-hr59-7c27/GHSA-25xm-hr59-7c27.json

Aliases

• CVE-2021-29482
• GO-2020-0016

Published

2021-05-25T18:39:37Z

Modified

2023-11-08T04:05:35.352241Z

Details

Impact

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.

Patches

The problem has been fixed in release v0.5.8.

Workarounds

Limit the size of the compressed file input to a reasonable size for your use case.

References

The standard library had recently the same issue and got the CVE-2020-16845 allocated.

For more information

If you have any questions or comments about this advisory: * Open an issue in xz.

References

• https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
• https://nvd.nist.gov/vuln/detail/CVE-2021-29482
• https://github.com/ulikunitz/xz/issues/35
• https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
• https://pkg.go.dev/vuln/GO-2020-0016