Bug 1954368 (CVE-2021-29482) - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
Summary: CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial o...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29482
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1958929 1955059 1955060 1955061 1955062 1955063 1955064 1955065 1955066 1955067 1961123 1961124 1961125 1961126 1961127 1961128 1961318 1961319 2032712 2032713 2032714
Blocks: 1954369
TreeView+ depends on / blocked
 
Reported: 2021-04-28 02:35 UTC by Sam Fowler
Modified: 2023-08-31 23:59 UTC (History)
60 users (show)

Fixed In Version: github.com/ulikunitz/xz 0.5.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in github.com/ulikunitz/xz. The function readUvarint may not terminate a loop what could lead to denial of service (DoS).
Clone Of:
Environment:
Last Closed: 2021-07-28 19:06:53 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2920 0 None None None 2021-07-27 14:20:56 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:51:10 UTC
Red Hat Product Errata RHSA-2022:0687 0 None None None 2022-02-28 21:20:33 UTC
Red Hat Product Errata RHSA-2022:1276 0 None None None 2022-04-07 17:58:52 UTC
Red Hat Product Errata RHSA-2022:2183 0 None None None 2022-05-11 11:34:33 UTC

Description Sam Fowler 2021-04-28 02:35:47 UTC 
github.com/ulikunitz/xz is a package for reading and writing of xz compressed streams.

Affected versions of this package are vulnerable to Denial of Service (DoS). It is possible create an infinite read loop due to the usage of the ReadUvarint and ReadVarint function when encoding/binary via invalid inputs.

Note that this is a similar issue to CVE-2020-16845, affecting the Go standard library but requires its own fix.


References:

https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMULIKUNITZXZ-607912
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMULIKUNITZXZ-598892
Comment 3 Przemyslaw Roguski 2021-04-29 11:10:56 UTC 
Statement:

In OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) the affected components are behind OpenShift OAuth authentication, therefore the impact is low.
In OCP before 4.7 the buildah, skopeo and podman packages include vulnerable version of github.com/ulikunitz/xz, but these OCP releases are already in the Maintenance Phase of the support, hence affected components are marked as wontfix. This may be fixed in the future.
Comment 7 Przemyslaw Roguski 2021-04-29 11:25:29 UTC 
Upstream commit:
https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
Comment 12 errata-xmlrpc 2021-07-27 14:20:36 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920
Comment 13 Product Security DevOps Team 2021-07-28 19:06:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29482
Comment 14 errata-xmlrpc 2021-08-06 00:51:07 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 17 errata-xmlrpc 2022-02-28 21:20:29 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:0687 https://access.redhat.com/errata/RHSA-2022:0687
Comment 18 errata-xmlrpc 2022-04-07 17:58:48 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 19 errata-xmlrpc 2022-05-11 11:34:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:2183 https://access.redhat.com/errata/RHSA-2022:2183
Note You need to log in before you can comment on or make changes to this bug.