CVE-2020-16845: Withdrawn Advisory: Infinite loop in xz
(updated )
Withdrawn Advisory
This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time.
Original Description
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
References
- github.com/advisories/GHSA-q6gq-997w-f55g
- github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
- github.com/ulikunitz/xz/issues/35
- groups.google.com/forum/
- groups.google.com/forum/
- lists.debian.org/debian-lts-announce/2020/11/msg00037.html
- lists.debian.org/debian-lts-announce/2020/11/msg00038.html
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4
- nvd.nist.gov/vuln/detail/CVE-2020-16845
- security.netapp.com/advisory/ntap-20200924-0002
- www.debian.org/security/2021/dsa-4848
- www.oracle.com/security-alerts/cpuApr2021.html
Code Behaviors & Features
Detect and mitigate CVE-2020-16845 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →