profile
viewpoint

Ask questions[SECURITY] Implementation of readUvarint vulnerable to CVE-2020-16845

Implementation of readUvarint at https://github.com/ulikunitz/xz/blob/master/bits.go#L56 is very similar to the vulnerable code in the Golang encoding/binary library and seems to suffer from the same vulnerability described in https://github.com/golang/go/issues/40618.

See the fix at https://go-review.googlesource.com/c/go/+/247120/2/src/encoding/binary/varint.go

Note: I couldn't find any information on how to disclose this issue to the maintainers. I would also suggest setting up a Security Policy for the project within GitHub

ulikunitz/xz

Answer questions ulikunitz

I got the following information:

GitHub has issued CVE-2021-29482 for this Security Advisory after reviewing it for compliance with CVE rules. Since you've already published this Security Advisory, we'll publish this CVE to the CVE List.

useful!

Related questions

No questions were found.
source:https://uonfu.com/
answerer
Ulrich Kunitz ulikunitz Germany Go developer interested in compression; DevOps manager for identity & authentication
Github User Rank List