blob: 225f75dc37290fffde52aeb608feb0e67b35719f [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0100",
"modified": "0001-01-01T00:00:00Z",
"published": "2021-07-28T18:08:05Z",
"aliases": [
"CVE-2021-20291",
"GHSA-7qw8-847f-pggm"
],
"summary": "Denial of service via deadlock in github.com/containers/storage",
"details": "Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.",
"affected": [
{
"package": {
"name": "github.com/containers/storage",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.28.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/containers/storage/pkg/archive",
"symbols": [
"ApplyLayer",
"ApplyUncompressedLayer",
"Archiver.CopyFileWithTar",
"Archiver.CopyWithTar",
"Archiver.TarUntar",
"Archiver.UntarPath",
"CopyResource",
"CopyTo",
"DecompressStream",
"IsArchivePath",
"Untar",
"UntarPath",
"UntarUncompressed",
"cmdStream"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/containers/storage/pull/860"
},
{
"type": "FIX",
"url": "https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939485"
}
],
"credits": [
{
"name": "Aviv Sasson (Palo Alto Networks)"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0100",
"review_status": "REVIEWED"
}
}