reports/GO-2020-0016.yaml - vulndb - Git at Google

 module: github.com/ulikunitz/xz
 versions:
   - fixed: v0.5.8
 description: |
   An attacker can construct a series of bytes such that calling
   [`Reader.Read`] on the bytes could cause an infinite loop. If
   parsing user supplied input, this may be used as a denial of
   service vector.
 published: 2021-04-14T12:00:00Z
 credit: "@0xdecaf"
 symbols:
   - readUvarint
 links:
   commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
   context:
     - https://github.com/ulikunitz/xz/issues/35
     - https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
 cve_metadata:
   id: CVE-9999-0004
   cwe: "CWE-190: Integer Overflow or Wraparound"
   description: |
     Integer overflow in github.com/ulikunitz/xz before v0.5.8 allows attackers
     to cause denial of service via maliciously crafted input.
	module: github.com/ulikunitz/xz
	versions:
	- fixed: v0.5.8
	description: \|
	An attacker can construct a series of bytes such that calling
	[`Reader.Read`] on the bytes could cause an infinite loop. If
	parsing user supplied input, this may be used as a denial of
	service vector.
	published: 2021-04-14T12:00:00Z
	credit: "@0xdecaf"
	symbols:
	- readUvarint
	links:
	commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
	context:
	- https://github.com/ulikunitz/xz/issues/35
	- https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
	cve_metadata:
	id: CVE-9999-0004
	cwe: "CWE-190: Integer Overflow or Wraparound"
	description: \|
	Integer overflow in github.com/ulikunitz/xz before v0.5.8 allows attackers
	to cause denial of service via maliciously crafted input.