[GO-2021-0100] Denial of service via deadlock in github.com/containers/storage

Severity Medium

Affected Packages 1

Fixed Packages 1

CVEs 1

Due to a goroutine deadlock, using
github.com/containers/storage/pkg/archive.DecompressStream on a xz archive
returns a reader which will hang indefinitely when Close is called. An attacker
can use this to cause denial of service if they are able to cause the caller to
attempt to decompress an archive they control.

Package	Affected Version
pkg:golang/github.com/containers/storage/pkg/archive	>= 1.28.1-0.20210316105906-29dc2106ab59, < 1.28.1

Package	Fixed Version
pkg:golang/github.com/containers/storage/pkg/archive	= 1.28.1

ID

GO-2021-0100

Severity

medium

Severity from

CVE-2021-20291

URL

https://pkg.go.dev/vuln/GO-2021-0100

Published

2022-08-12T17:19:52
(2 years ago)

Modified

2024-05-14T19:19:00
(4 months ago)

Other Advisories

Source	# ID	Name	URL
Security Advisory			https://github.com/advisories/GHSA-7qw8-847f-pggm

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Fixed	pkg:golang/github.com/containers/storage/pkg/archive	github.com/containers/storage/pkg	archive	= 1.28.1
Affected	pkg:golang/github.com/containers/storage/pkg/archive	github.com/containers/storage/pkg	archive	>= 1.28.1-0.20210316105906-29dc2106ab59 < 1.28.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date