Bug 1214590 (CVE-2020-22916)

Summary: VUL-0: CVE-2020-22916: xz: denial-of-service via decompression of crafted file
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/375984/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-22916:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-08-24 15:05:54 UTC 
CVE-2020-22916

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service
via decompression of crafted file.

The below github link is not working. Unclear about how this can be reproduced or if we have a fix.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22916
https://www.cve.org/CVERecord?id=CVE-2020-22916
https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability
https://tukaani.org/xz/
Comment 1 Danilo Spinella 2023-10-11 10:05:10 UTC 
Looking at the github issue in xz repository [1], it seems that this is not an actual issue.

https://github.com/tukaani-project/xz/issues/61