Fluid Attacks Database

Description

github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)

Impact

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.

Patches

The problem has been fixed in release v0.5.8.

Workarounds

Limit the size of the compressed file input to a reasonable size for your use case.

References

The standard library had recently the same issue and got the CVE-2020-16845 allocated.

For more information

If you have any questions or comments about this advisory:

Open an issue in xz.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	golang-github-ulikunitz-xz	>=0 <0.5.6-2	0.5.6-2
go	github.com/ulikunitz/xz	>=0 <0.5.8	0.5.8
debian 11	golang-github-ulikunitz-xz	>=0 <0.5.6-2	0.5.6-2
debian 12	golang-github-ulikunitz-xz	>=0 <0.5.6-2	0.5.6-2
debian 14	golang-github-ulikunitz-xz	>=0 <0.5.6-2	0.5.6-2

Aliases

1. CVE-2021-294822. NVD-2021-294823. OSV-DEBIAN-2021-294824. OSV-2021-294825. GHSA-25xm-hr59-7c276. GCVE-2021-294827. SECURITY-TRACKER-CVE-2021-29482

References

1. https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c272. https://github.com/ulikunitz/xz/issues/353. https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b4. https://pkg.go.dev/vuln/GO-2020-0016