Source: golang-github-ulikunitz-xz Version: 0.5.6-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-ulikunitz-xz. CVE-2021-29482[0]: | xz is a compression and decompression library focusing on the xz | format completely written in Go. The function readUvarint used to read | the xz container format may not terminate a loop provide malicous | input. The problem has been fixed in release v0.5.8. As a workaround | users can limit the size of the compressed file input to a reasonable | size for their use case. The standard library had recently the same | issue and got the CVE-2020-16845 allocated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29482 [1] https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27 [2] https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b Regards, Salvatore
