| packages: |
| - module: std |
| package: encoding/binary |
| symbols: |
| - ReadUvarint |
| - ReadVarint |
| versions: |
| - fixed: 1.13.15 |
| - introduced: 1.14.0 |
| fixed: 1.14.7 |
| vulnerable_at: 1.14.6 |
| description: | |
| ReadUvarint and ReadVarint can read an unlimited number of bytes from |
| invalid inputs. |
| |
| Certain invalid inputs to ReadUvarint or ReadVarint can cause these |
| functions to read an unlimited number of bytes from the ByteReader |
| parameter before returning an error. This can lead to processing more |
| input than expected when the caller is reading directly from a |
| network and depends on ReadUvarint or ReadVarint only consuming a |
| small, bounded number of bytes, even from invalid inputs. |
| cves: |
| - CVE-2020-16845 |
| ghsas: |
| - GHSA-q6gq-997w-f55g |
| credit: Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon |
| links: |
| pr: https://go.dev/cl/247120 |
| commit: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258 |
| context: |
| - https://go.dev/issue/40618 |
| - https://groups.google.com/g/golang-announce/c/NyPIaucMgXo |