Ask questions[SECURITY] Implementation of readUvarint vulnerable to CVE-2020-16845

Implementation of readUvarint at is very similar to the vulnerable code in the Golang encoding/binary library and seems to suffer from the same vulnerability described in

See the fix at

Note: I couldn't find any information on how to disclose this issue to the maintainers. I would also suggest setting up a Security Policy for the project within GitHub


Answer questions ulikunitz

You are right. Because the xz module is not the golang stdlib the advisory should have its own CVE. I have now requested a CVE through the Github Security Advisory interface. I was not aware of that option.


Related questions

No questions were found.
Ulrich Kunitz ulikunitz Germany Go developer interested in compression; DevOps manager for identity & authentication
Github User Rank List