785904 – app-emulation/cri-o: deadlock vulnerability through embedded app-emulation/containers-storage (CVE-2021-20291)

Bug 785904 - app-emulation/cri-o: deadlock vulnerability through embedded app-emulation/containers-storage (CVE-2021-20291)

Summary: app-emulation/cri-o: deadlock vulnerability through embedded app-emulation/co...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2021-20291
	Show dependency tree

Reported:	2021-04-26 21:29 UTC by GLSAMaker/CVETool Bot
Modified:	2021-04-26 23:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2021-04-26 21:29:29 UTC

CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).

Comment 1 Larry the Git Cow gentoo-dev

2021-04-26 23:20:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=449dae000afa1038f206f231ada81254df905a5d

commit 449dae000afa1038f206f231ada81254df905a5d
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 23:18:45 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 23:20:06 +0000

    app-emulation/cri-o: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/785904
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/cri-o/Manifest            |  3 --
 app-emulation/cri-o/cri-o-1.17.1.ebuild | 95 ---------------------------------
 app-emulation/cri-o/cri-o-1.18.3.ebuild | 95 ---------------------------------
 app-emulation/cri-o/cri-o-1.19.0.ebuild | 95 ---------------------------------
 4 files changed, 288 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df29fd4dc579aca46e7410b62d74981980b851d5

commit df29fd4dc579aca46e7410b62d74981980b851d5
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 23:10:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 23:20:06 +0000

    app-emulation/cri-o: Bump to version 1.21.0
    
    Bug: https://bugs.gentoo.org/785904
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/cri-o/Manifest            | 1893 +++++++++++++++++++++++++++++
 app-emulation/cri-o/cri-o-1.21.0.ebuild | 1997 +++++++++++++++++++++++++++++++
 2 files changed, 3890 insertions(+)

Comment 2 Zac Medico gentoo-dev

2021-04-26 23:53:39 UTC

cri-o v1.21.0 received the fix for CVE-2021-20291 when it
updated to containers/storage v1.28.1 in this commit:

https://github.com/cri-o/cri-o/commit/aa4418436d62a250504e6bcb6efe517956fa74a8

Comment 3 John Helmert III archtester

2021-04-26 23:57:00 UTC

Thanks! Tree clean, all done.