Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785895 (CVE-2021-20291) - [Tracker] Deadlock vulnerability through embedded app-emulation/containers-storage (CVE-2021-20291)
Summary: [Tracker] Deadlock vulnerability through embedded app-emulation/containers-st...
Status: RESOLVED FIXED
Alias: CVE-2021-20291
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://unit42.paloaltonetworks.com/c...
Whiteboard:
Keywords: Tracker
Depends on: 785898 785901 785904 785910 785916
Blocks:
  Show dependency tree
 
Reported: 2021-04-26 21:20 UTC by GLSAMaker/CVETool Bot
Modified: 2022-07-15 04:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2021-04-26 21:20:49 UTC
CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:22:44 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:01 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:38:58 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:08 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:05 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:23 UTC
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 04:25:47 UTC
All dependencies are done!