Github.Com Ulikunitz Xz vulnerabilities

CVE-2025-58058 [MEDIUM] CWE-770 github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives ### Summary It is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZ

CVE-2020-16845 [HIGH] CWE-835 Withdrawn Advisory: Infinite loop in xz Withdrawn Advisory: Infinite loop in xz ### Withdrawn Advisory This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time. ### Original Description Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

CVE-2021-29482 [HIGH] CWE-835 github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS) github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS) ### Impact xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. ### Patches The problem has been fixed in release v0.5.8. ### Workarounds Limit the size of the compressed file