| module: github.com/ulikunitz/xz |
| versions: |
| - fixed: v0.5.8 |
| description: | |
| An attacker can construct a series of bytes such that calling |
| [`Reader.Read`] on the bytes could cause an infinite loop. If |
| parsing user supplied input, this may be used as a denial of |
| service vector. |
| published: 2021-04-14T12:00:00Z |
| credit: "@0xdecaf" |
| symbols: |
| - readUvarint |
| links: |
| commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b |
| context: |
| - https://github.com/ulikunitz/xz/issues/35 |
| - https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27 |
| cve_metadata: |
| id: CVE-9999-0004 |
| cwe: "CWE-190: Integer Overflow or Wraparound" |
| description: | |
| Integer overflow in github.com/ulikunitz/xz before v0.5.8 allows attackers |
| to cause denial of service via maliciously crafted input. |