CVE-2021-29482, GHSA-25xm-hr59-7c27
go/github.com/ulikunitz/xz
Loop with Unreachable Exit Condition (Infinite Loop)
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint
used to read the xz container format may not terminate a loop provide malicous input. As a workaround, users can limit the size of the compressed file input to a reasonable size for their use case. The standard library recently had the same issue described in CVE-2020-16845.
All versions before 0.5.8
Upgrade to version 0.5.8 or above.
2021-05-10
source |