reports/GO-2020-0016.toml - vulndb - Git at Google

 package = "github.com/ulikunitz/xz"

 description = """
 An attacker can construct a series of bytes such that calling
 [`Reader.Read`] on the bytes could cause an infinite loop.
 """

 credit = "@0xdecaf"

 symbols = ["readUvarint"]

 [[versions]]
 fixed = "v0.5.8"

 [links]
 commit = "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
 context = [
     "https://github.com/ulikunitz/xz/issues/35",
     "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
 ]

 [cve_metadata]
 id = "CVE-XXXX-0004"
 description = """
 Integer overflow in github.com/ulikunitz/xz before v0.5.8 allows attackers
 to cause denial of service via maliciously crafted input.
 """
 cwe = "CWE-190: Integer Overflow or Wraparound"
	package = "github.com/ulikunitz/xz"

	description = """
	An attacker can construct a series of bytes such that calling
	[`Reader.Read`] on the bytes could cause an infinite loop.
	"""

	credit = "@0xdecaf"

	symbols = ["readUvarint"]

	[[versions]]
	fixed = "v0.5.8"

	[links]
	commit = "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
	context = [
	"https://github.com/ulikunitz/xz/issues/35",
	"https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
	]

	[cve_metadata]
	id = "CVE-XXXX-0004"
	description = """
	Integer overflow in github.com/ulikunitz/xz before v0.5.8 allows attackers
	to cause denial of service via maliciously crafted input.
	"""
	cwe = "CWE-190: Integer Overflow or Wraparound"