data/reports/GO-2020-0016.yaml - vulndb - Git at Google

 id: GO-2020-0016
 modules:
     - module: github.com/ulikunitz/xz
       versions:
         - fixed: 0.5.8
       vulnerable_at: 0.5.7
       packages:
         - package: github.com/ulikunitz/xz
           symbols:
             - readUvarint
           derived_symbols:
             - Reader.Read
             - blockHeader.UnmarshalBinary
             - streamReader.Read
 summary: Infinite loop in github.com/ulikunitz/xz
 description: |-
     An attacker can construct a series of bytes such that calling Reader.Read on the
     bytes could cause an infinite loop. If parsing user supplied input, this may be
     used as a denial of service vector.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2021-29482
 ghsas:
     - GHSA-25xm-hr59-7c27
 credits:
     - '@0xdecaf'
 references:
     - fix: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
     - web: https://github.com/ulikunitz/xz/issues/35
	id: GO-2020-0016
	modules:
	- module: github.com/ulikunitz/xz
	versions:
	- fixed: 0.5.8
	vulnerable_at: 0.5.7
	packages:
	- package: github.com/ulikunitz/xz
	symbols:
	- readUvarint
	derived_symbols:
	- Reader.Read
	- blockHeader.UnmarshalBinary
	- streamReader.Read
	summary: Infinite loop in github.com/ulikunitz/xz
	description: \|-
	An attacker can construct a series of bytes such that calling Reader.Read on the
	bytes could cause an infinite loop. If parsing user supplied input, this may be
	used as a denial of service vector.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2021-29482
	ghsas:
	- GHSA-25xm-hr59-7c27
	credits:
	- '@0xdecaf'
	references:
	- fix: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
	- web: https://github.com/ulikunitz/xz/issues/35