Vulnerability Report: GO-2021-0100
- CVE-2021-20291, GHSA-7qw8-847f-pggm
- Affects: github.com/containers/storage
- Published: Jul 28, 2021
- Modified: May 20, 2024
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.
Affected Packages
-
PathGo VersionsSymbols
-
before v1.28.1
Aliases
References
- https://github.com/containers/storage/pull/860
- https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
- https://bugzilla.redhat.com/show_bug.cgi?id=1939485
- https://vuln.go.dev/ID/GO-2021-0100.json
Credits
- Aviv Sasson (Palo Alto Networks)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.