blob: 7cdb9bc6968d8692931eabe8b4fc83039eef9090 [file] [log] [blame]
id: GO-2021-0100
modules:
- module: github.com/containers/storage
versions:
- fixed: 1.28.1
vulnerable_at: 1.28.1-0.20210316105906-29dc2106ab59
packages:
- package: github.com/containers/storage/pkg/archive
symbols:
- cmdStream
derived_symbols:
- ApplyLayer
- ApplyUncompressedLayer
- Archiver.CopyFileWithTar
- Archiver.CopyWithTar
- Archiver.TarUntar
- Archiver.UntarPath
- CopyResource
- CopyTo
- DecompressStream
- IsArchivePath
- Untar
- UntarPath
- UntarUncompressed
summary: Denial of service via deadlock in github.com/containers/storage
description: |-
Due to a goroutine deadlock, using
github.com/containers/storage/pkg/archive.DecompressStream on a xz archive
returns a reader which will hang indefinitely when Close is called. An attacker
can use this to cause denial of service if they are able to cause the caller to
attempt to decompress an archive they control.
published: 2021-07-28T18:08:05Z
cves:
- CVE-2021-20291
ghsas:
- GHSA-7qw8-847f-pggm
credits:
- Aviv Sasson (Palo Alto Networks)
references:
- fix: https://github.com/containers/storage/pull/860
- fix: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
- web: https://bugzilla.redhat.com/show_bug.cgi?id=1939485
review_status: REVIEWED