[GO-2021-0100] Denial of service via deadlock in github.com/containers/storage
Severity
Medium
Affected Packages
1
Fixed Packages
1
CVEs
1
Due to a goroutine deadlock, using
github.com/containers/storage/pkg/archive.DecompressStream on a xz archive
returns a reader which will hang indefinitely when Close is called. An attacker
can use this to cause denial of service if they are able to cause the caller to
attempt to decompress an archive they control.
Package | Affected Version |
---|---|
pkg:golang/github.com/containers/storage/pkg/archive | >= 1.28.1-0.20210316105906-29dc2106ab59, < 1.28.1 |
Package | Fixed Version |
---|---|
pkg:golang/github.com/containers/storage/pkg/archive | = 1.28.1 |
- ID
- GO-2021-0100
- Severity
- medium
- Severity from
- CVE-2021-20291
- URL
- https://pkg.go.dev/vuln/GO-2021-0100
- Published
-
2022-08-12T17:19:52
(2 years ago) - Modified
-
2024-05-14T19:19:00
(4 months ago) - Other Advisories
-
- ALBA-2022:0348
- ALSA-2021:4154
- ALSA-2022:7954
- ALSA-2022:7955
- ALSA-2022:8008
- ELSA-2021-4154
- ELSA-2022-7954
- ELSA-2022-7955
- ELSA-2022-8008
- FEDORA-2021-83b3740389
- FEDORA-2021-a3703b9dc8
- FEDORA-2021-c56a213327
- FEDORA-2021-ec00da7faa
- RHBA-2022:0348
- RHSA-2021:4154
- RHSA-2022:7954
- RHSA-2022:7955
- RHSA-2022:8008
- RLBA-2022:0348
- RLSA-2021:4154
- SUSE-SU-2022:3312-1
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | https://github.com/advisories/GHSA-7qw8-847f-pggm |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/github.com/containers/storage/pkg/archive | github.com/containers/storage/pkg | archive | = 1.28.1 | |||
Affected | pkg:golang/github.com/containers/storage/pkg/archive | github.com/containers/storage/pkg | archive | >= 1.28.1-0.20210316105906-29dc2106ab59 < 1.28.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |