vendor: github.com/vbatts/tar-split v0.12.3#52478
Merged
thaJeztah merged 3 commits intomoby:masterfrom Apr 29, 2026
Merged
Conversation
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The deprecated asm.NewInputTarStream leaves a goroutine hanging if the consumer doesn't fully drain the stream, and provides no signal for when the internal parsing goroutine has completed. Switch to asm.NewInputTarStreamWithDone which returns a done channel, allowing us to detect goroutine completion and surface any errors from the internal tar parsing. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
vvoland
added
kind/bugfix
There was a problem hiding this comment.
Pull request overview
Updates the vendored github.com/vbatts/tar-split dependency to v0.12.3 (including the CVE-2026-32288 fix) and migrates Moby’s layer tar processing to the new asm.NewInputTarStreamWithDone API to avoid goroutine leaks and to surface parsing errors via a completion channel.
Changes:
- Bump
github.com/vbatts/tar-splitfrom v0.12.2 to v0.12.3 (go.mod/go.sum/vendor metadata). - Vendor upstream tar-split changes (new
NewInputTarStreamWithDone, sparse tar DoS fix). - Switch layer tar ingestion paths to
NewInputTarStreamWithDoneand wait on the returneddonechannel.
Reviewed changes
Copilot reviewed 3 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
go.mod |
Updates tar-split requirement to v0.12.3. |
go.sum |
Updates tar-split checksums for v0.12.3. |
vendor/modules.txt |
Updates vendored module version metadata for tar-split. |
vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go |
Vendors new NewInputTarStreamWithDone implementation and goroutine lifecycle protocol. |
vendor/github.com/vbatts/tar-split/tar/asm/iterate.go |
Updates comment to reference the new API. |
vendor/github.com/vbatts/tar-split/archive/tar/reader.go |
Vendors sparse-map parsing hardening (CVE fix) with entry limits. |
vendor/github.com/vbatts/tar-split/archive/tar/format.go |
Adds a sparse entry limit constant for defense-in-depth. |
daemon/internal/layer/migration.go |
Migrates checksum calculation to NewInputTarStreamWithDone. |
daemon/internal/layer/layer_store.go |
Migrates tar apply path to NewInputTarStreamWithDone and drains/waits for completion. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
NewInputTarStreamWithDone returns an io.ReadCloser whose background goroutine may block on a pipe write if the consumer doesn't fully drain the stream. If digest.FromReader returns early with an error, the subsequent <-done would block forever because the pipe write has no reader. Add defer archive.Close() so the pipe is always broken on exit, allowing the background goroutine to terminate and send on the done channel. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 9 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
vendor: github.com/vbatts/tar-split v0.12.3
Most important changes are:
Full Changelog: vbatts/tar-split@v0.12.2...v0.12.3
layer: Migrate off deprecated NewInputTarStream
The deprecated asm.NewInputTarStream leaves a goroutine hanging if the consumer doesn't fully drain the stream, and provides no signal for when the internal parsing goroutine has completed.
Switch to asm.NewInputTarStreamWithDone which returns a done channel, allowing us to detect goroutine completion and surface any errors from the internal tar parsing.