[GHSA-q6gq-997w-f55g] Infinite loop in xz

[Fidget-Grep]

Updates

• Affected products
• References
• Source code location

Comments
As per the Go Vulnerability Database (https://pkg.go.dev/vuln/GO-2021-0142) this vulnerability also affects the Go Standard Library encoding/binary. I've added this library as an affected package and listed the appropriate affected versions as per the advisory. I also added some helpful reference links and a missing source code link to the "xz" project.
Let me know if any information is missing or incorrect, thanks.

[Fidget-Grep]

Actually, reading further and I think this advisory shouldn't actually mention "github.com/ulikunitz/xz". The infinite loop vuln mentioned here is already covered by this GHSA: GHSA-25xm-hr59-7c27. It looks like this GHSA is actually about the infinite read loop in encoding/binary. I'll see if I can update the PR.

[helixplant]

Hi @Fidget-Grep,
Thank you for bringing this to our attention! CVE-2020-16845 does pertain to Go and specifically mentions the encoding/binary standard library package. However, at this time we are unable to issue alerts for Go standard library packages, so this advisory will be withdrawn to prevent any confusion.

[advisory-database]

Hi @Fidget-Grep! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!