blob: 22b4d2f55fd5333c2e49abfc7c316499ac03d881 [file] [log] [blame]
packages:
- module: github.com/containers/storage
package: github.com/containers/storage/pkg/archive
symbols:
- cmdStream
derived_symbols:
- ApplyLayer
- ApplyUncompressedLayer
- Archiver.CopyFileWithTar
- Archiver.CopyWithTar
- Archiver.TarUntar
- Archiver.UntarPath
- CopyResource
- CopyTo
- DecompressStream
- IsArchivePath
- Untar
- UntarPath
- UntarUncompressed
versions:
- fixed: 1.28.1
description: |
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream
on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker
can use this to cause denial of service if they are able to cause the caller to attempt to
decompress an archive they control.
published: 2021-07-28T18:08:05Z
cves:
- CVE-2021-20291
ghsas:
- GHSA-7qw8-847f-pggm
credit: Aviv Sasson (Palo Alto Networks)
links:
pr: https://github.com/containers/storage/pull/860
commit: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
context:
- https://github.com/advisories/GHSA-7qw8-847f-pggm
- https://bugzilla.redhat.com/show_bug.cgi?id=1939485