Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785898 - <app-emulation/containers-storage-1.30.0: deadlock vulnerability (CVE-2021-20291)
Summary: <app-emulation/containers-storage-1.30.0: deadlock vulnerability (CVE-2021-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
: 785907 (view as bug list)
Depends on:
Blocks: CVE-2021-20291
  Show dependency tree
 
Reported: 2021-04-26 21:24 UTC by GLSAMaker/CVETool Bot
Modified: 2021-04-27 00:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2021-04-26 21:24:41 UTC 
CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-26 21:36:13 UTC 
*** Bug 785907 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2021-04-26 21:38:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bf3edc9f8302d92714d940d23acc77a73a48133

commit 9bf3edc9f8302d92714d940d23acc77a73a48133
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 21:37:37 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 21:37:47 +0000

    app-emulation/containers-storage: Remove vunlerable versions
    
    Bug: https://bugs.gentoo.org/785898
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/containers-storage/Manifest          |  3 --
 .../containers-storage-1.18.1.ebuild               | 58 ----------------------
 .../containers-storage-1.20.2.ebuild               | 58 ----------------------
 .../containers-storage-1.23.3.ebuild               | 58 ----------------------
 4 files changed, 177 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72b5975efddd840644b5a08e46798183cf4f3288

commit 72b5975efddd840644b5a08e46798183cf4f3288
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 21:33:25 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 21:36:55 +0000

    app-emulation/containers-storage: Bump to version 1.30.0
    
    Bug: https://bugs.gentoo.org/785898
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/containers-storage/Manifest          |  1 +
 .../containers-storage-1.30.0.ebuild               | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 23:50:03 UTC 
Thanks! Tree clean, all done.