Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 785898

Summary: <app-emulation/containers-storage-1.30.0: deadlock vulnerability (CVE-2021-20291)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: holgersson, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 785895    

Description GLSAMaker/CVETool Bot gentoo-dev 2021-04-26 21:24:41 UTC 
CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-26 21:36:13 UTC 
*** Bug 785907 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2021-04-26 21:38:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bf3edc9f8302d92714d940d23acc77a73a48133

commit 9bf3edc9f8302d92714d940d23acc77a73a48133
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 21:37:37 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 21:37:47 +0000

    app-emulation/containers-storage: Remove vunlerable versions
    
    Bug: https://bugs.gentoo.org/785898
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/containers-storage/Manifest          |  3 --
 .../containers-storage-1.18.1.ebuild               | 58 ----------------------
 .../containers-storage-1.20.2.ebuild               | 58 ----------------------
 .../containers-storage-1.23.3.ebuild               | 58 ----------------------
 4 files changed, 177 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72b5975efddd840644b5a08e46798183cf4f3288

commit 72b5975efddd840644b5a08e46798183cf4f3288
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 21:33:25 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 21:36:55 +0000

    app-emulation/containers-storage: Bump to version 1.30.0
    
    Bug: https://bugs.gentoo.org/785898
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/containers-storage/Manifest          |  1 +
 .../containers-storage-1.30.0.ebuild               | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 23:50:03 UTC 
Thanks! Tree clean, all done.