| id: GO-2021-0100 |
| modules: |
| - module: github.com/containers/storage |
| versions: |
| - fixed: 1.28.1 |
| vulnerable_at: 1.28.1-0.20210316105906-29dc2106ab59 |
| packages: |
| - package: github.com/containers/storage/pkg/archive |
| symbols: |
| - cmdStream |
| derived_symbols: |
| - ApplyLayer |
| - ApplyUncompressedLayer |
| - Archiver.CopyFileWithTar |
| - Archiver.CopyWithTar |
| - Archiver.TarUntar |
| - Archiver.UntarPath |
| - CopyResource |
| - CopyTo |
| - DecompressStream |
| - IsArchivePath |
| - Untar |
| - UntarPath |
| - UntarUncompressed |
| summary: Denial of service via deadlock in github.com/containers/storage |
| description: |- |
| Due to a goroutine deadlock, using |
| github.com/containers/storage/pkg/archive.DecompressStream on a xz archive |
| returns a reader which will hang indefinitely when Close is called. An attacker |
| can use this to cause denial of service if they are able to cause the caller to |
| attempt to decompress an archive they control. |
| published: 2021-07-28T18:08:05Z |
| cves: |
| - CVE-2021-20291 |
| ghsas: |
| - GHSA-7qw8-847f-pggm |
| credits: |
| - Aviv Sasson (Palo Alto Networks) |
| references: |
| - fix: https://github.com/containers/storage/pull/860 |
| - fix: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1 |
| - web: https://bugzilla.redhat.com/show_bug.cgi?id=1939485 |
| review_status: REVIEWED |