CVE-2021-29482 – denial of service in github.com/ulikunitz/xz

https://notcve.org/view.php?id=CVE-2021-29482

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated. xz es una biblioteca de compresión y descompresión que se centra en el formato xz escrito completamente en Go. • https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27 https://access.redhat.com/security/cve/CVE-2021-29482 https://bugzilla.redhat.com/show_bug.cgi?id=1954368 • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •