Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI1eG0taHI1OS03YzI3
github.com/ulikunitz/xz fixes readUvarint denial of service
Impact
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.
Patches
The problem has been fixed in release v0.5.8.
Workarounds
Limit the size of the compressed file input to a reasonable size for your use case.
References
The standard library had recently the same issue and got the CVE-2020-16845 allocated.
For more information
If you have any questions or comments about this advisory:
- Open an issue in xz.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI1eG0taHI1OS03YzI3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-25xm-hr59-7c27, CVE-2021-29482
References:
- https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
- https://nvd.nist.gov/vuln/detail/CVE-2021-29482
- https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
- https://github.com/ulikunitz/xz/issues/35
- https://pkg.go.dev/vuln/GO-2020-0016
- https://github.com/advisories/GHSA-25xm-hr59-7c27
Blast Radius: 31.7
Affected Packages
go:github.com/ulikunitz/xz
Dependent packages: 6,770Dependent repositories: 16,976
Downloads:
Affected Version Ranges: < 0.5.8
Fixed in: 0.5.8
All affected versions: 0.3.1, 0.4.1, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7
All unaffected versions: 0.5.8, 0.5.9, 0.5.10, 0.5.11