GO-2021-0100
See a problem?- Source
- https://pkg.go.dev/vuln/GO-2021-0100
- Import Source
- https://vuln.go.dev/ID/GO-2021-0100.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2021-0100
- Aliases
- Published
- 2021-07-28T18:08:05Z
- Modified
- 2024-05-20T16:03:47Z
- Summary
- Denial of service via deadlock in github.com/containers/storage
- Details
-
Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.
- References
- Credits
-
-
- Aviv Sasson (Palo Alto Networks)
-
Affected packages
Go / github.com/containers/storage
Package
- Name
- github.com/containers/storage
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/containers/storage
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.28.1
Ecosystem specific
{
"imports": [
{
"path": "github.com/containers/storage/pkg/archive",
"symbols": [
"ApplyLayer",
"ApplyUncompressedLayer",
"Archiver.CopyFileWithTar",
"Archiver.CopyWithTar",
"Archiver.TarUntar",
"Archiver.UntarPath",
"CopyResource",
"CopyTo",
"DecompressStream",
"IsArchivePath",
"Untar",
"UntarPath",
"UntarUncompressed",
"cmdStream"
]
}
]
}