xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.
The problem has been fixed in release v0.5.8.
Limit the size of the compressed file input to a reasonable size for your use case.
The standard library had recently the same issue and got the CVE-2020-16845 allocated.
If you have any questions or comments about this advisory: * Open an issue in xz.
{ "nvd_published_at": "2021-04-28T19:15:00Z", "cwe_ids": [ "CWE-835" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-05-24T17:52:22Z" }