| packages: |
| - module: github.com/ulikunitz/xz |
| symbols: |
| - readUvarint |
| derived_symbols: |
| - Reader.Read |
| - blockHeader.UnmarshalBinary |
| - streamReader.Read |
| versions: |
| - fixed: 0.5.8 |
| description: | |
| An attacker can construct a series of bytes such that calling |
| Reader.Read on the bytes could cause an infinite loop. If |
| parsing user supplied input, this may be used as a denial of |
| service vector. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2021-29482 |
| ghsas: |
| - GHSA-25xm-hr59-7c27 |
| credit: '@0xdecaf' |
| links: |
| commit: https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b |
| context: |
| - https://github.com/ulikunitz/xz/issues/35 |
| - https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27 |