Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785910 - <app-emulation/buildah-1.20.1: deadlock vulnerability through embedded app-emulation/containers-storage (CVE-2021-20291)
Summary: <app-emulation/buildah-1.20.1: deadlock vulnerability through embedded app-em...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2021-20291
  Show dependency tree
 
Reported: 2021-04-26 21:32 UTC by GLSAMaker/CVETool Bot
Modified: 2021-10-17 18:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2021-04-26 21:32:03 UTC 
CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291):
  A deadlock vulnerability was found in 'github.com/containers/storage' in
  versions before 1.28.1. When a container image is processed, each layer is
  unpacked using `tar`. If one of those layers is not a valid `tar` archive
  this causes an error leading to an unexpected situation where the code
  indefinitely waits for the tar unpacked stream, which never finishes. An
  attacker could use this vulnerability to craft a malicious image, which when
  downloaded and stored by an application using containers/storage, would then
  cause a deadlock leading to a Denial of Service (DoS).
Comment 1 Larry the Git Cow gentoo-dev 2021-04-26 23:46:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9efca8735e909138dfb708fca16c913042487b41

commit 9efca8735e909138dfb708fca16c913042487b41
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 23:45:22 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 23:45:51 +0000

    app-emulation/buildah: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/785910
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/buildah/Manifest              |  2 --
 app-emulation/buildah/buildah-1.16.1.ebuild | 47 -----------------------------
 app-emulation/buildah/buildah-1.19.6.ebuild | 47 -----------------------------
 3 files changed, 96 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=796dd398a0801213dc6c74b1175131bf5c35aa67

commit 796dd398a0801213dc6c74b1175131bf5c35aa67
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-26 23:39:43 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-26 23:44:44 +0000

    app-emulation/buildah: Bump to version 1.20.1
    
    buildah v1.20.1 received the fix for CVE-2021-20291 when it
    updated to containers/storage v1.29.0 in this commit:
    
    https://github.com/containers/buildah/commit/ddda1bdcff0985c520800abd07c8cb55b83e88b7
    
    Bug: https://bugs.gentoo.org/785910
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/buildah/Manifest              |  1 +
 app-emulation/buildah/buildah-1.20.1.ebuild | 47 +++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:22:42 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:30:58 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:38:55 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:47:05 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:03:02 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:11:20 UTC 
Package list is empty or all packages have requested keywords.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 18:55:21 UTC 
Fixed a long time ago, sorry! No GLSA, all done.