FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs

Affected packages
go < 1.14.7,1

Details

VuXML ID bc7aff8c-d806-11ea-a5aa-0800272260e5
Discovery 2020-08-06
Entry 2020-08-06

The Go project reports:

Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

References

CVE Name CVE-2020-16845
URL https://github.com/golang/go/issues/40618