Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 785895 (CVE-2021-20291)

Summary: [Tracker] Deadlock vulnerability through embedded app-emulation/containers-storage (CVE-2021-20291)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Keywords: Tracker
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://unit42.paloaltonetworks.com/cve-2021-20291/
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 785898, 785901, 785904, 785910, 785916    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2021-04-26 21:20:49 UTC 
CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:22:44 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:01 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:38:58 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:08 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:05 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:23 UTC 
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 04:25:47 UTC 
All dependencies are done!