GHSA-q6gq-997w-f55g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q6gq-997w-f55g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-q6gq-997w-f55g/GHSA-q6gq-997w-f55g.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-q6gq-997w-f55g
- Aliases
- Withdrawn
- 2025-10-14T19:37:18Z
- Published
- 2021-12-16T19:16:40Z
- Modified
- 2025-10-14T19:37:19Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Withdrawn Advisory: Infinite loop in xz
- Details
-
Withdrawn Advisory
This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time.
Original Description
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
- Database specific
{ "nvd_published_at": "2020-08-06T18:15:00Z", "github_reviewed": true, "cwe_ids": [ "CWE-835" ], "severity": "HIGH", "github_reviewed_at": "2021-06-18T22:05:40Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-16845
- https://github.com/ulikunitz/xz/issues/35
- https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
- https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo
- https://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q
- https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html
- https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4
- https://security.netapp.com/advisory/ntap-20200924-0002
- https://www.debian.org/security/2021/dsa-4848
- https://www.oracle.com/security-alerts/cpuApr2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html
Affected packages
Go / github.com/ulikunitz/xz
Package
- Name
- github.com/ulikunitz/xz
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/ulikunitz/xz