CVE-2021-29482

Loop with Unreachable Exit Condition (Infinite Loop) in go/github.com/ulikunitz/xz

Identifiers

CVE-2021-29482, GHSA-25xm-hr59-7c27

Package Slug

go/github.com/ulikunitz/xz

Vulnerability

Loop with Unreachable Exit Condition (Infinite Loop)

Description

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. As a workaround, users can limit the size of the compressed file input to a reasonable size for their use case. The standard library recently had the same issue described in CVE-2020-16845.

Affected Versions

All versions before 0.5.8

Solution

Upgrade to version 0.5.8 or above.

Last Modified

2021-05-10

source