CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291): A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ba1707f2083f32c57825fbf2d418a7018b9bc09 commit 6ba1707f2083f32c57825fbf2d418a7018b9bc09 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-04-26 23:26:06 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-04-26 23:31:40 +0000 app-emulation/podman: Remove vulnerable version podman-3.0.1 is vulnerable because it uses containers-storage v1.24.6 vendored in this commit: https://github.com/containers/podman/commit/5a520cb4cae29e97085adfcf95b9d18e9e7a4c45 podman-3.1.2 is *not* vulnerable because it uses containers-storage v1.30.0 vendored in this commit: https://github.com/containers/podman/commit/5aef11026a850bb99d8394dba17810bf05d727bc Bug: https://bugs.gentoo.org/785901 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-emulation/podman/Manifest | 1 - app-emulation/podman/podman-3.0.1.ebuild | 165 ------------------------------- 2 files changed, 166 deletions(-)
Package list is empty or all packages have requested keywords.
All done, thanks!
