VulnerableCode Package Details - pkg:golang/github.com/ulikunitz/xz@0.5.8

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dwge-3up7-yyaq	Withdrawn Advisory: Infinite loop in xz ### Withdrawn Advisory This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time. ### Original Description Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.	CVE-2020-16845 GHSA-q6gq-997w-f55g
VCID-esea-tj2b-h7ey	github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS) ### Impact xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. ### Patches The problem has been fixed in release v0.5.8. ### Workarounds Limit the size of the compressed file input to a reasonable size for your use case. ### References The standard library had recently the same issue and got the [CVE-2020-16845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845) allocated. ### For more information If you have any questions or comments about this advisory: * Open an issue in [xz](https://github.com/ulikunitz/xz/issues).	CVE-2021-29482 GHSA-25xm-hr59-7c27

Vulnerability

Summary

Aliases

VCID-dwge-3up7-yyaq

Withdrawn Advisory: Infinite loop in xz ### Withdrawn Advisory This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time. ### Original Description Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

CVE-2020-16845
GHSA-q6gq-997w-f55g

VCID-esea-tj2b-h7ey

github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS) ### Impact xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. ### Patches The problem has been fixed in release v0.5.8. ### Workarounds Limit the size of the compressed file input to a reasonable size for your use case. ### References The standard library had recently the same issue and got the [CVE-2020-16845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845) allocated. ### For more information If you have any questions or comments about this advisory: * Open an issue in [xz](https://github.com/ulikunitz/xz/issues).

CVE-2021-29482
GHSA-25xm-hr59-7c27

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:03:11.899222+00:00	GithubOSV Importer	Fixing	VCID-esea-tj2b-h7ey	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-25xm-hr59-7c27/GHSA-25xm-hr59-7c27.json	38.0.0
2026-04-01T13:01:07.859538+00:00	GithubOSV Importer	Fixing	VCID-dwge-3up7-yyaq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-q6gq-997w-f55g/GHSA-q6gq-997w-f55g.json	38.0.0

2026-04-01T13:03:11.899222+00:00

GithubOSV Importer

Fixing

VCID-esea-tj2b-h7ey

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-25xm-hr59-7c27/GHSA-25xm-hr59-7c27.json

38.0.0

2026-04-01T13:01:07.859538+00:00

GithubOSV Importer

Fixing

VCID-dwge-3up7-yyaq

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-q6gq-997w-f55g/GHSA-q6gq-997w-f55g.json

38.0.0