From b63b96722cdb30ce2911a6eb3ef9ee5ae2e00e06 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 9 Nov 2017 11:50:34 +0100 Subject: [PATCH 1/3] vendor.conf: update vbatts/tar-split to v0.10.2 Fix CVE-2017-14992 Signed-off-by: Antonio Murdaca --- vendor.conf | 2 +- vendor/github.com/vbatts/tar-split/README.md | 3 +- .../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++------- 3 files changed, 31 insertions(+), 17 deletions(-) diff --git a/vendor.conf b/vendor.conf index f36fcc14..1d8a8bf2 100644 --- a/vendor.conf +++ b/vendor.conf @@ -73,7 +73,7 @@ github.com/emicklei/go-restful-swagger12 1.0.1 github.com/pkg/errors v0.8.0 github.com/godbus/dbus a389bdde4dd695d414e47b755e95e72b7826432c github.com/urfave/cli v1.20.0 -github.com/vbatts/tar-split v0.10.1 +github.com/vbatts/tar-split v0.10.2 github.com/renstrom/dedent v1.0.0 github.com/hpcloud/tail v1.0.0 gopkg.in/fsnotify.v1 v1.4.2 diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md index 4c544d82..03e3ec43 100644 --- a/vendor/github.com/vbatts/tar-split/README.md +++ b/vendor/github.com/vbatts/tar-split/README.md @@ -1,6 +1,7 @@ # tar-split [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split) +[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split) Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive. @@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a contiguous file, though the archive contents may be recorded in sparse format. Therefore when adding the file payload to a reassembled tar, to achieve identical output, the file payload would need be precisely re-sparsified. This -is not something I seek to fix imediately, but would rather have an alert that +is not something I seek to fix immediately, but would rather have an alert that precise reassembly is not possible. (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html) diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go index 54ef23ae..009b3f5d 100644 --- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go @@ -2,7 +2,6 @@ package asm import ( "io" - "io/ioutil" "github.com/vbatts/tar-split/archive/tar" "github.com/vbatts/tar-split/tar/storage" @@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io } } - // it is allowable, and not uncommon that there is further padding on the - // end of an archive, apart from the expected 1024 null bytes. - remainder, err := ioutil.ReadAll(outputRdr) - if err != nil && err != io.EOF { - pW.CloseWithError(err) - return - } - _, err = p.AddEntry(storage.Entry{ - Type: storage.SegmentType, - Payload: remainder, - }) - if err != nil { - pW.CloseWithError(err) - return + // It is allowable, and not uncommon that there is further padding on + // the end of an archive, apart from the expected 1024 null bytes. We + // do this in chunks rather than in one go to avoid cases where a + // maliciously crafted tar file tries to trick us into reading many GBs + // into memory. + const paddingChunkSize = 1024 * 1024 + var paddingChunk [paddingChunkSize]byte + for { + var isEOF bool + n, err := outputRdr.Read(paddingChunk[:]) + if err != nil { + if err != io.EOF { + pW.CloseWithError(err) + return + } + isEOF = true + } + _, err = p.AddEntry(storage.Entry{ + Type: storage.SegmentType, + Payload: paddingChunk[:n], + }) + if err != nil { + pW.CloseWithError(err) + return + } + if isEOF { + break + } } pW.Close() }() From 17bcfb495caf9454911c8b8e28134194ce947d5a Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 9 Nov 2017 11:59:18 +0100 Subject: [PATCH 2/3] version: bump v1.0.3 Signed-off-by: Antonio Murdaca --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index da50737c..fb6cf040 100644 --- a/version/version.go +++ b/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "1.0.3-dev" +const Version = "1.0.3" From dc8d1e938326f1bbab39a55bf191ff18602541d6 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 9 Nov 2017 11:59:37 +0100 Subject: [PATCH 3/3] version: bump to v1.0.4-dev Signed-off-by: Antonio Murdaca --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index fb6cf040..fb9bdff7 100644 --- a/version/version.go +++ b/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "1.0.3" +const Version = "1.0.4-dev"