A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user with privileges to pull container images into crashing the process responsible for pulling the image.
Created buildah tracking bugs for this issue: Affects: fedora-31 [bug 1792800] Created podman tracking bugs for this issue: Affects: fedora-31 [bug 1792797] Created skopeo tracking bugs for this issue: Affects: fedora-31 [bug 1792798]
Acknowledgments: Name: Oleg Bulatov (Red Hat)
Given the bump to a CVE, changing severity to high.
Created cri-o tracking bugs for this issue: Affects: fedora-31 [bug 1795829]
Upstream commit: https://github.com/containers/image/pull/803
(In reply to Jason Shepherd from comment #28) > Upstream commit: https://github.com/containers/image/pull/803 https://github.com/containers/image/pull/805 , actually.
Moving to POST and assigning to Jindrich to handle packaging
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1227 https://access.redhat.com/errata/RHSA-2020:1227
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1702
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1650 https://access.redhat.com/errata/RHSA-2020:1650
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:1937 https://access.redhat.com/errata/RHSA-2020:1937
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2116 https://access.redhat.com/errata/RHSA-2020:2116
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2218 https://access.redhat.com/errata/RHSA-2020:2218
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2681 https://access.redhat.com/errata/RHSA-2020:2681
This issue as been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHBA-2020:0492 https://access.redhat.com/errata/RHBA-2020:0492