mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
go: fix CVE-2025-58183
This patch applies the upstream fix [1], as referenced in [2], to address unbounded memory consumption when reading GNU tar pax 1.0 sparse file regions in archive/tar. [1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556 [2] https://security-tracker.debian.org/tracker/CVE-2025-58183 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-58183 (From OE-Core rev: e0285488a93cf3b369ad7424d55938791f57174f) Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
719d921135
commit
b1af4c89b0
@@ -58,6 +58,7 @@ SRC_URI += "\
|
||||
file://CVE-2026-42501.patch \
|
||||
file://CVE-2026-42504.patch \
|
||||
file://CVE-2026-42507.patch \
|
||||
file://CVE-2025-58183.patch \
|
||||
"
|
||||
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
||||
|
||||
|
||||
@@ -0,0 +1,107 @@
|
||||
From c25bf45db0b232e8ad9d2bc53e61678ebc5efe90 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Thu, 11 Sep 2025 13:32:10 -0700
|
||||
Subject: [PATCH] [release-branch.go1.24] archive/tar: set a limit on the
|
||||
size of GNU sparse file 1.0 regions
|
||||
|
||||
Sparse files in tar archives contain only the non-zero components
|
||||
of the file. There are several different encodings for sparse
|
||||
files. When reading GNU tar pax 1.0 sparse files, archive/tar did
|
||||
not set a limit on the size of the sparse region data. A malicious
|
||||
archive containing a large number of sparse blocks could cause
|
||||
archive/tar to read an unbounded amount of data from the archive
|
||||
into memory.
|
||||
|
||||
Since a malicious input can be highly compressable, a small
|
||||
compressed input could cause very large allocations.
|
||||
|
||||
Cap the size of the sparse block data to the same limit used
|
||||
for PAX headers (1 MiB).
|
||||
|
||||
Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
|
||||
for reporting this issue.
|
||||
|
||||
Fixes CVE-2025-58183
|
||||
For #75677
|
||||
Fixes #75710
|
||||
|
||||
CVE: CVE-2025-58183
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556]
|
||||
|
||||
Backport Changes:
|
||||
- The upstream fix includes a testdata tarball as a git binary diff.
|
||||
However, quilt cannot apply git binary diffs and fails with the error:
|
||||
"File src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2:
|
||||
git binary diffs are not supported."
|
||||
- As a result, the unnecessary bzip2 test file
|
||||
src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
|
||||
has been removed.
|
||||
- Furthermore, in src/archive/tar/reader_test.go, within the TestReader()
|
||||
function, the test vector entry for testdata/gnu-sparse-many-zeros.tar.bz2
|
||||
has been removed.
|
||||
|
||||
Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-by: Nicholas Husin <husin@google.com>
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2967
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/709843
|
||||
Reviewed-by: Carlos Amedee <carlos@golang.org>
|
||||
TryBot-Bypass: Michael Pratt <mpratt@google.com>
|
||||
Auto-Submit: Michael Pratt <mpratt@google.com>
|
||||
(cherry picked from commit 613e746327381d820759ebea6ce722720b343556)
|
||||
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
|
||||
---
|
||||
src/archive/tar/common.go | 1 +
|
||||
src/archive/tar/reader.go | 9 +++++++--
|
||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go
|
||||
index 4910908f81e..ec1b8668547 100644
|
||||
--- a/src/archive/tar/common.go
|
||||
+++ b/src/archive/tar/common.go
|
||||
@@ -38,6 +38,7 @@ var (
|
||||
errMissData = errors.New("archive/tar: sparse file references non-existent data")
|
||||
errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data")
|
||||
errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole")
|
||||
+ errSparseTooLong = errors.New("archive/tar: sparse map too long")
|
||||
)
|
||||
|
||||
type headerError []string
|
||||
diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
|
||||
index 0811779adda..71d0b20b76d 100644
|
||||
--- a/src/archive/tar/reader.go
|
||||
+++ b/src/archive/tar/reader.go
|
||||
@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
|
||||
cntNewline int64
|
||||
buf bytes.Buffer
|
||||
blk block
|
||||
+ totalSize int
|
||||
)
|
||||
|
||||
// feedTokens copies data in blocks from r into buf until there are
|
||||
// at least cnt newlines in buf. It will not read more blocks than needed.
|
||||
feedTokens := func(n int64) error {
|
||||
for cntNewline < n {
|
||||
+ totalSize += len(blk)
|
||||
+ if totalSize > maxSpecialFileSize {
|
||||
+ return errSparseTooLong
|
||||
+ }
|
||||
if _, err := mustReadFull(r, blk[:]); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
|
||||
}
|
||||
|
||||
// Parse for all member entries.
|
||||
- // numEntries is trusted after this since a potential attacker must have
|
||||
- // committed resources proportional to what this library used.
|
||||
+ // numEntries is trusted after this since feedTokens limits the number of
|
||||
+ // tokens based on maxSpecialFileSize.
|
||||
if err := feedTokens(2 * numEntries); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
--
|
||||
2.35.6
|
||||
|
||||
Reference in New Issue
Block a user