Merge pull request #1134 from runcom/fix-cve-2017-14992

[release-1.0] vendor.conf: update vbatts/tar-split to v0.10.2

vendor.conf

@@ -73,7 +73,7 @@ github.com/emicklei/go-restful-swagger12 1.0.1
 github.com/pkg/errors v0.8.0
 github.com/godbus/dbus a389bdde4dd695d414e47b755e95e72b7826432c
 github.com/urfave/cli v1.20.0
-github.com/vbatts/tar-split v0.10.1
+github.com/vbatts/tar-split v0.10.2
 github.com/renstrom/dedent v1.0.0
 github.com/hpcloud/tail v1.0.0
 gopkg.in/fsnotify.v1 v1.4.2

vendor/github.com/vbatts/tar-split/README.md

@@ -1,6 +1,7 @@
 # tar-split
 
 [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split)
+[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split)
 
 Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive.
 
@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a
 contiguous file, though the archive contents may be recorded in sparse format.
 Therefore when adding the file payload to a reassembled tar, to achieve
 identical output, the file payload would need be precisely re-sparsified. This
-is not something I seek to fix imediately, but would rather have an alert that
+is not something I seek to fix immediately, but would rather have an alert that
 precise reassembly is not possible.
 (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html)
 

vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go

@@ -2,7 +2,6 @@ package asm
 
 import (
 	"io"
-	"io/ioutil"
 
 	"github.com/vbatts/tar-split/archive/tar"
 	"github.com/vbatts/tar-split/tar/storage"
@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io
 			}
 		}
 
-		// it is allowable, and not uncommon that there is further padding on the
+		// It is allowable, and not uncommon that there is further padding on
-		// end of an archive, apart from the expected 1024 null bytes.
+		// the end of an archive, apart from the expected 1024 null bytes. We
-		remainder, err := ioutil.ReadAll(outputRdr)
+		// do this in chunks rather than in one go to avoid cases where a
-		if err != nil && err != io.EOF {
+		// maliciously crafted tar file tries to trick us into reading many GBs
-			pW.CloseWithError(err)
+		// into memory.
-			return
+		const paddingChunkSize = 1024 * 1024
-		}
+		var paddingChunk [paddingChunkSize]byte
-		_, err = p.AddEntry(storage.Entry{
+		for {
-			Type:    storage.SegmentType,
+			var isEOF bool
-			Payload: remainder,
+			n, err := outputRdr.Read(paddingChunk[:])
-		})
+			if err != nil {
-		if err != nil {
+				if err != io.EOF {
-			pW.CloseWithError(err)
+					pW.CloseWithError(err)
-			return
+					return
+				}
+				isEOF = true
+			}
+			_, err = p.AddEntry(storage.Entry{
+				Type:    storage.SegmentType,
+				Payload: paddingChunk[:n],
+			})
+			if err != nil {
+				pW.CloseWithError(err)
+				return
+			}
+			if isEOF {
+				break
+			}
 		}
 		pW.Close()
 	}()

version/version.go

@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "1.0.3-dev"
+const Version = "1.0.4-dev"