mirrors/tar-split
1
0
Fork 1
mirror of https://github.com/vbatts/tar-split.git synced 2025-02-17 06:57:50 +00:00
Code Releases Activity
267 commits 8 branches 32 tags 4.3 MiB
Commit graph

4 commits

Author SHA1 Message Date
Vincent Batts
b8ca13f886 Revert "*.go: move the carrierd archive/tar to internal/" 
See https://github.com/vbatts/tar-split/issues/81

This reverts commit c8b16f6803.
 2025-01-30 17:39:11 -05:00
Vincent Batts
c8b16f6803
*.go: move the carrierd archive/tar to internal/ 
The feature of golang having source in a project path with "internal"
makes the code only able to be imported by the project itself.
https://docs.google.com/document/d/1e8kOo3r51b2BWtTs_1uADIA5djfXhPT36s6eHVRIvaU/edit?tab=t.0

Since we have this carried version of `archive/tar` with our byte
accounting patches, it is also means the version of archive/tar has not
kept up with upstream.

our tar-split libraries do not even utilize all the function calls of
our carried archive/tar, so might as well limit anyone else in the world
from calling them as well.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
 2025-01-28 11:04:47 -05:00
Vincent Batts
1c425c4aaa
archive/tar: fix for CVE-2022-2879 
Fixes: #76

In a specially crafted tar archive can cause `io.ReadAll()` to overrun
the memory.
The fix is taken from upstream golang, as this tar-split repo carries an
old fork from upstream.

Thanks to @tojoos and @bainsy88 for reporting.

References:
- https://nvd.nist.gov/vuln/detail/cve-2022-2879
- https://github.com/golang/go/commit/0bf7ee9
- https://go-review.googlesource.com/c/go/+/439355/2/src/archive/tar/reader.go#106

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
 2025-01-20 10:25:58 -05:00
Kir Kolyshkin
73fdb78c36 archive/tar: replace with one from go-1.11 
The RawAccounting changes are to be ported on top.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 2018-09-05 14:04:10 -07:00