Ask questions[SECURITY] Implementation of readUvarint vulnerable to CVE-2020-16845
readUvarint at https://github.com/ulikunitz/xz/blob/master/bits.go#L56 is very similar to the vulnerable code in the Golang
encoding/binary library and seems to suffer from the same vulnerability described in https://github.com/golang/go/issues/40618.
See the fix at https://go-review.googlesource.com/c/go/+/247120/2/src/encoding/binary/varint.go
Note: I couldn't find any information on how to disclose this issue to the maintainers. I would also suggest setting up a Security Policy for the project within GitHub
Answer questions ulikunitz
I got the following information:
GitHub has issued CVE-2021-29482 for this Security Advisory after reviewing it for compliance with CVE rules. Since you've already published this Security Advisory, we'll publish this CVE to the CVE List.
Related questionsNo questions were found.