Ask questions[SECURITY] Implementation of readUvarint vulnerable to CVE-2020-16845
readUvarint at https://github.com/ulikunitz/xz/blob/master/bits.go#L56 is very similar to the vulnerable code in the Golang
encoding/binary library and seems to suffer from the same vulnerability described in https://github.com/golang/go/issues/40618.
See the fix at https://go-review.googlesource.com/c/go/+/247120/2/src/encoding/binary/varint.go
Note: I couldn't find any information on how to disclose this issue to the maintainers. I would also suggest setting up a Security Policy for the project within GitHub
Answer questions ulikunitz
You are right. Because the xz module is not the golang stdlib the advisory should have its own CVE. I have now requested a CVE through the Github Security Advisory interface. I was not aware of that option.
Related questionsNo questions were found.