skopeo-1.9.2-1.el9

エラータID: AXSA:2023-5066:01

Release date: 
Monday, February 13, 2023 - 04:10
Subject: 
skopeo-1.9.2-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

Security Fix(es):

* containers/storage: DoS via malicious image (CVE-2021-20291)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-20291
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
CVE-2021-33198
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.

Solution: 

Update packages.

CVEs: 
CVE-2021-20291
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
CVE-2021-33198
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
Additional Info: 

N/A

Download: 

SRPMS
  1. skopeo-1.9.2-1.el9.src.rpm
    MD5: 437cb111694272183bd5d44abe8abb80
    SHA-256: 6bc9b34fb7d9f412f00a404b483e1b65f7305c920b6fdaffce11f46552a104fc
    Size: 6.37 MB

Asianux Server 9 for x86_64
  1. skopeo-1.9.2-1.el9.x86_64.rpm
    MD5: bb567eb0e2497ce5f32aaca3db52d6ae
    SHA-256: 06656e227f9633063d5bdd05e7e02de373b5f03df23dc3ecef45c45653f11013
    Size: 6.65 MB
  2. skopeo-tests-1.9.2-1.el9.x86_64.rpm
    MD5: e3aa654a93c0dd0e5f2437fef7b2e1ba
    SHA-256: 92377ab878a0b99749627cef38bb35c2a1992ff8331a5a1c1cbc29fe5e8d751a
    Size: 767.88 kB