GO-2021-0100

Source
https://pkg.go.dev/vuln/GO-2021-0100
Import Source
https://vuln.go.dev/ID/GO-2021-0100.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2021-0100
Aliases
Published
2021-07-28T18:08:05Z
Modified
2024-05-20T16:03:47Z
Summary
Denial of service via deadlock in github.com/containers/storage
Details

Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.

References
Credits
    • Aviv Sasson (Palo Alto Networks)

Affected packages

Go / github.com/containers/storage

Package

Name
github.com/containers/storage
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/storage

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containers/storage/pkg/archive",
            "symbols": [
                "ApplyLayer",
                "ApplyUncompressedLayer",
                "Archiver.CopyFileWithTar",
                "Archiver.CopyWithTar",
                "Archiver.TarUntar",
                "Archiver.UntarPath",
                "CopyResource",
                "CopyTo",
                "DecompressStream",
                "IsArchivePath",
                "Untar",
                "UntarPath",
                "UntarUncompressed",
                "cmdStream"
            ]
        }
    ]
}