Merge pull request #6316 from github/Fidget-Grep-GHSA-q6gq-997w-f55g

advisory-database[bot] · web-flow · commit 2b29c03562ba · 2025-10-14T19:37:20.000Z
diff --git a/advisories/github-reviewed/2021/12/GHSA-q6gq-997w-f55g/GHSA-q6gq-997w-f55g.json b/advisories/github-reviewed/2021/12/GHSA-q6gq-997w-f55g/GHSA-q6gq-997w-f55g.json
@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q6gq-997w-f55g",
-  "modified": "2021-06-18T22:05:40Z",
+  "modified": "2023-02-01T05:05:48Z",
   "published": "2021-12-16T19:16:40Z",
   "aliases": [
     "CVE-2020-16845"
   ],
-  "summary": "Infinite loop in xz",
+  "summary": "Infinite loop in Go standard library encoding/binary",
   "details": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.",
   "severity": [
     {
@@ -18,7 +18,7 @@
     {
       "package": {
         "ecosystem": "Go",
-        "name": "github.com/ulikunitz/xz"
+        "name": "encoding/binary"
       },
       "ranges": [
         {
@@ -28,7 +28,26 @@
               "introduced": "0"
             },
             {
-              "fixed": "0.5.8"
+              "fixed": "1.13.15"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "encoding/binary"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.14.0"
+            },
+            {
+              "fixed": "1.14.7"
             }
           ]
         }
@@ -41,12 +60,12 @@
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/ulikunitz/xz/issues/35"
+      "type": "PACKAGE",
+      "url": "https://github.com/golang/go"
     },
     {
       "type": "WEB",
-      "url": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
+      "url": "https://go.dev/issue/40618"
     },
     {
       "type": "WEB",
@@ -80,6 +99,10 @@
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4"
     },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2021-0142"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20200924-0002"
