mirrors/tar-split
1
0
Fork 1
mirror of https://github.com/vbatts/tar-split.git synced 2025-07-07 00:38:30 +00:00
Code Releases Activity

archive/tar: fix for CVE-2022-2879

Browse source 
Fixes: #76

In a specially crafted tar archive can cause `io.ReadAll()` to overrun
the memory.
The fix is taken from upstream golang, as this tar-split repo carries an
old fork from upstream.

Thanks to @tojoos and @bainsy88 for reporting.

References:
- https://nvd.nist.gov/vuln/detail/cve-2022-2879
- 0bf7ee9
- https://go-review.googlesource.com/c/go/+/439355/2/src/archive/tar/reader.go#106

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This commit is contained in:
Vincent Batts 2025-01-20 10:22:24 -05:00
parent cc780eeb0b
commit 1c425c4aaa
Signed by: vbatts
GPG key ID: E30EFAA812C6E5ED
2 changed files with 16 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
archive/tar/format.go
View file

@ -143,6 +143,10 @@ const (
blockSize = 512 // Size of each block in a tar stream
nameSize = 100 // Max length of the name field in USTAR format
prefixSize = 155 // Max length of the prefix field in USTAR format
// Max length of a special file (PAX header, GNU long name or link).
// This matches the limit used by libarchive.
maxSpecialFileSize = 1 << 20
)
// blockPadding computes the number of bytes needed to pad offset up to the