Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 827893 (CVE-2021-41190) - <sys-cluster/singularity-3.8.5: ambiguous parsing of OCI images
Summary: <sys-cluster/singularity-3.8.5: ambiguous parsing of OCI images
Status: IN_PROGRESS
Alias: CVE-2021-41190
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on: 827892
Blocks:
  Show dependency tree
 
Reported: 2021-11-30 11:01 UTC by Marek Szuba
Modified: 2021-12-01 23:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Szuba archtester gentoo-dev 2021-11-30 11:01:06 UTC
In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently.
Comment 1 Marek Szuba archtester gentoo-dev 2021-11-30 11:38:56 UTC
No vulnerable versions left in the tree.
Comment 2 John Helmert III gentoo-dev Security 2021-12-01 23:17:55 UTC
Thank you!