| { |
| "id": "GO-2021-0100", |
| "published": "2021-07-28T18:08:05Z", |
| "modified": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2021-20291", |
| "GHSA-7qw8-847f-pggm" |
| ], |
| "details": "Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream\non a xz archive returns a reader which will hang indefinitely when Close is called. An attacker\ncan use this to cause denial of service if they are able to cause the caller to attempt to\ndecompress an archive they control.\n", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/containers/storage", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.28.1" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0100" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/containers/storage/pkg/archive", |
| "symbols": [ |
| "ApplyLayer", |
| "ApplyUncompressedLayer", |
| "Archiver.CopyFileWithTar", |
| "Archiver.CopyWithTar", |
| "Archiver.TarUntar", |
| "Archiver.UntarPath", |
| "CopyResource", |
| "CopyTo", |
| "DecompressStream", |
| "IsArchivePath", |
| "Untar", |
| "UntarPath", |
| "UntarUncompressed", |
| "cmdStream" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/containers/storage/pull/860" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939485" |
| } |
| ] |
| } |
