Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
Vulnerability Description
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
xz 安全漏洞
Vulnerability Description
xz是一个应用软件。用于支持读取和写入xz压缩流。 xz 0.5.14之前版本存在安全漏洞,该漏洞源于LZMA编码字节流头部检测不足,可能导致内存消耗增加。
CVSS Information
N/A
Vulnerability Type
N/A