Описание
github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
Impact
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.
Patches
The problem has been fixed in release v0.5.8.
Workarounds
Limit the size of the compressed file input to a reasonable size for your use case.
References
The standard library had recently the same issue and got the CVE-2020-16845 allocated.
For more information
If you have any questions or comments about this advisory:
- Open an issue in xz.
Пакеты
github.com/ulikunitz/xz
< 0.5.8
0.5.8
Связанные уязвимости
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
xz is a compression and decompression library focusing on the xz forma ...