CVE-2021-20291 (https://nvd.nist.gov/vuln/detail/CVE-2021-20291): A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
Package list is empty or all packages have requested keywords.
Fix was in storage-1.28.1, so seems this was done upstream in: commit 5485daff13f3a984eeeb7dc5f840fd11612289d2 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue Apr 13 08:44:26 2021 +0000 Bump github.com/containers/storage from 1.26.0 to 1.29.0 Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.26.0 to 1.29.0. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.26.0...v1.29.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Which first made it into Gentoo in: commit 779759573696a2d0ec5ec26157b1e41f637ce020 Author: Zac Medico <zmedico@gentoo.org> Date: Mon Jun 14 10:43:30 2021 -0700 app-emulation/skopeo: Bump to version 1.3.0 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> There were no stable versions of skopeo at the time, and we've been cleaned up for a long while. All done!
