archive/tar: unbounded allocation when parsing GNU sparse map (CVE-2025-58183)

[neild]

tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.

Thanks to Harshit Gupta (Mr HAX) - https://www.linkedin.com/in/iam-harshit-gupta/ for reporting this issue.

This is CVE-2025-58183 and Go issue https://go.dev/issue/75677.

---

This is a PRIVATE issue for CVE-2025-58183, tracked in http://b/440100289 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2800.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #75710 (for 1.24), #75711 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/709843 mentions this issue: [release-branch.go1.24] archive/tar: set a limit on the size of GNU sparse file 1.0 regions

[gopherbot]

Change https://go.dev/cl/709861 mentions this issue: archive/tar: set a limit on the size of GNU sparse file 1.0 regions

[gopherbot]

Change https://go.dev/cl/709852 mentions this issue: [release-branch.go1.25] archive/tar: set a limit on the size of GNU sparse file 1.0 regions