Vulnerability Report: GO-2021-0100

CVE-2021-20291, GHSA-7qw8-847f-pggm
Affects: github.com/containers/storage
Published: Jul 28, 2021
Modified: May 20, 2024

Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.

Affected Packages

Path

Versions

Symbols
github.com/containers/storage/pkg/archive

before v1.28.1
13 affected symbols

Aliases

CVE-2021-20291
GHSA-7qw8-847f-pggm

References

https://github.com/containers/storage/pull/860
https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
https://bugzilla.redhat.com/show_bug.cgi?id=1939485
https://vuln.go.dev/ID/GO-2021-0100.json

Credits

Aviv Sasson (Palo Alto Networks)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL