GHSA-54p8-x2m9-c593: malcontent: Error-path cleanup gap can leak scanners and fds and degrade availability
Several extraction and scanning code paths registered late defers which could leak resources and exhaust system resources.
This report is an aggregate of these individual reports for the affected code:
| Advisory | Affected File |
|---|---|
GHSA-jjgh-mc5q-gch7 | pkg/action/scan.go |
GHSA-mwmf-fxh2-w4x7 | pkg/archive/deb.go |
GHSA-p8j3-rpf5-gwv3 | pkg/archive/gzip.go |
GHSA-qfh4-7f5v-75gq | pkg/archive/zlib.go |
GHSA-wxxf-r586-5rf5 | pkg/archive/bzip2.go |
Fix: #1354, #1355, #1356, #1361
Acknowledgements
Thank you to Oleh Konko from 1seal for discovering and reporting all six of these issues.
References
- github.com/advisories/GHSA-54p8-x2m9-c593
- github.com/chainguard-dev/malcontent
- github.com/chainguard-dev/malcontent/pull/1354
- github.com/chainguard-dev/malcontent/pull/1355
- github.com/chainguard-dev/malcontent/pull/1356
- github.com/chainguard-dev/malcontent/pull/1361
- github.com/chainguard-dev/malcontent/security/advisories/GHSA-54p8-x2m9-c593
Code Behaviors & Features
Detect and mitigate GHSA-54p8-x2m9-c593 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →