Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 785916

Summary: <app-containers/skopeo-1.3.0: deadlock vulnerability through embedded app-containers/containers-storage (CVE-2021-20291)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 785895    

Description GLSAMaker/CVETool Bot gentoo-dev 2021-04-26 22:25:27 UTC 
CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:22:41 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:30:57 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:38:54 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:04 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:01 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:19 UTC 
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 04:25:18 UTC 
Fix was in storage-1.28.1, so seems this was done upstream in:

commit 5485daff13f3a984eeeb7dc5f840fd11612289d2
Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Date:   Tue Apr 13 08:44:26 2021 +0000

    Bump github.com/containers/storage from 1.26.0 to 1.29.0

    Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.26.0 to 1.29.0.
    - [Release notes](https://github.com/containers/storage/releases)
    - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md)
    - [Commits](https://github.com/containers/storage/compare/v1.26.0...v1.29.0)

    Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
    Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Which first made it into Gentoo in:

commit 779759573696a2d0ec5ec26157b1e41f637ce020
Author: Zac Medico <zmedico@gentoo.org>
Date:   Mon Jun 14 10:43:30 2021 -0700

    app-emulation/skopeo: Bump to version 1.3.0

    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

There were no stable versions of skopeo at the time, and we've been cleaned up for a long while. All done!