785898 – <app-emulation/containers-storage-1.30.0: deadlock vulnerability (CVE-2021-20291)

Bug 785898 - <app-emulation/containers-storage-1.30.0: deadlock vulnerability (CVE-2021-20291)

Summary: <app-emulation/containers-storage-1.30.0: deadlock vulnerability (CVE-2021-20...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:

Duplicates (1):	785907 (view as bug list)
Depends on:
Blocks:	CVE-2021-20291
	Show dependency tree

Reported:	2021-04-26 21:24 UTC by GLSAMaker/CVETool Bot
Modified:	2021-04-27 00:02 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2021-04-26 21:24:41 UTC

CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2021-04-26 21:36:13 UTC

*** Bug 785907 has been marked as a duplicate of this bug. ***

Comment 2 Larry the Git Cow gentoo-dev

2021-04-26 21:38:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bf3edc9f8302d92714d940d23acc77a73a48133

commit 9bf3edc9f8302d92714d940d23acc77a73a48133
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 21:37:37 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 21:37:47 +0000

    app-emulation/containers-storage: Remove vunlerable versions
    
    Bug: https://bugs.gentoo.org/785898
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/containers-storage/Manifest          |  3 --
 .../containers-storage-1.18.1.ebuild               | 58 ----------------------
 .../containers-storage-1.20.2.ebuild               | 58 ----------------------
 .../containers-storage-1.23.3.ebuild               | 58 ----------------------
 4 files changed, 177 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72b5975efddd840644b5a08e46798183cf4f3288

commit 72b5975efddd840644b5a08e46798183cf4f3288
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 21:33:25 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 21:36:55 +0000

    app-emulation/containers-storage: Bump to version 1.30.0
    
    Bug: https://bugs.gentoo.org/785898
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/containers-storage/Manifest          |  1 +
 .../containers-storage-1.30.0.ebuild               | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)

Comment 3 John Helmert III archtester

2021-04-26 23:50:03 UTC

Thanks! Tree clean, all done.