-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
archive/tar: unbounded memory consumption when reading headers #54853
Comments
@gopherbot please open backport issues. |
Backport issue(s) opened: #55925 (for 1.18), #55926 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Moving back to Go1.20 milestone. (Go1.19.2 now has #55926 backport issue.) |
Change https://go.dev/cl/438498 mentions this issue: |
Change https://go.dev/cl/438500 mentions this issue: |
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates #54853 Fixes #55926 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438498 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Carlos Amedee <carlos@golang.org>
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates #54853 Fixes #55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55926 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438498 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Carlos Amedee <carlos@golang.org>
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55926 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438498 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Carlos Amedee <carlos@golang.org>
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55926 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438498 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Carlos Amedee <carlos@golang.org>
Change https://go.dev/cl/439355 mentions this issue: |
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 For #54853 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/439355 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Wed, 5 Oct 2022 Backported By: rcrozean@amazon.com Backported From: release-branch.go1.15 Source Commit: golang@0a72381 EKS Patch Source Commit: aws/eks-distro-build-tooling@1de4158 For building an internal version of go1.15, we removed the binary information from this patch caused by ./src/archive/tar/pax-bad-hdr-large.tar.bz2 it was added to the repo: https://github.com/aws/eks-distro-build-tooling/projects/golang/go/1.15/rpmbuild/SOURCE/pax-bad-hdr-large.tar.bz2 # Originial Information Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
# AWS EKS Backported To: go-1.16.15-eks Backported On: Wed, 5 Oct 2022 Backported By: rcrozean@amazon.com Backported From: release-branch.go1.18 Source Commit: golang@0a72381 EKS Patch Source Commit: aws/eks-distro-build-tooling@f4ce232 For building an internal version of go1.16, we removed the binary information from this patch, describing ./src/archive/tar/pax-bad-hdr-large.tar.bz2 The file itself was added directly to the repository. This was done due to fact that `diff`, used by RPMs for patch application, does not support binary diffs. https://github.com/aws/eks-distro-build-tooling/projects/golang/go/1.16/rpmbuild/SOURCE/pax-bad-hdr-large.tar.bz2 # Original Information Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-2879 Updates golang#54853 Fixes golang#55925 Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
This includes a small selection of security-related fixes which do not urgently impact Terraform's behavior but do close some potential avenues for unbounded resource usage or misbehavior with malicious input: - golang/go#54853 - golang/go#55949 - golang/go#56284
This includes a small selection of security-related fixes which do not urgently impact Terraform's behavior but do close some potential avenues for unbounded resource usage or misbehavior with malicious input: - golang/go#54853 - golang/go#55949 - golang/go#56284
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * #19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.
The text was updated successfully, but these errors were encountered: