[go/release-branch.go1.24] [release-branch.go1.24] archive/tar: set a limit on the size of GNU sparse file 1.0 regions

1 view
Skip to first unread message

Gopher Robot (Gerrit)

unread,
Oct 7, 2025, 2:01:07 PM (18 hours ago) Oct 7
to Michael Pratt, Damien Neil, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
[release-branch.go1.24] archive/tar: set a limit on the size of GNU sparse file 1.0 regions

Sparse files in tar archives contain only the non-zero components
of the file. There are several different encodings for sparse
files. When reading GNU tar pax 1.0 sparse files, archive/tar did
not set a limit on the size of the sparse region data. A malicious
archive containing a large number of sparse blocks could cause
archive/tar to read an unbounded amount of data from the archive
into memory.

Since a malicious input can be highly compressable, a small
compressed input could cause very large allocations.

Cap the size of the sparse block data to the same limit used
for PAX headers (1 MiB).

Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
for reporting this issue.

Fixes CVE-2025-58183
For #75677
Fixes #75710
Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
  • M src/archive/tar/common.go
  • M src/archive/tar/reader.go
  • M src/archive/tar/reader_test.go
  • A src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
Change size: S
Delta: 4 files changed, 13 insertions(+), 2 deletions(-)
Branch: refs/heads/release-branch.go1.24
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Carlos Amedee
  • requirement satisfiedTryBots-Pass: TryBot-Bypass+1 by Michael Pratt
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: release-branch.go1.24
Gerrit-Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
Gerrit-Change-Number: 709843
Gerrit-PatchSet: 2
Gerrit-Owner: Michael Pratt <mpr...@google.com>
Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
Gerrit-Reviewer: Gopher Robot <go...@golang.org>
Gerrit-Reviewer: Michael Pratt <mpr...@google.com>
Gerrit-CC: Damien Neil <dn...@google.com>
open
diffy
satisfied_requirement

Gopher Robot (Gerrit)

unread,
Oct 7, 2025, 2:04:29 PM (18 hours ago) Oct 7
to Michael Pratt, Damien Neil, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
[release-branch.go1.25] archive/tar: set a limit on the size of GNU sparse file 1.0 regions


Sparse files in tar archives contain only the non-zero components
of the file. There are several different encodings for sparse
files. When reading GNU tar pax 1.0 sparse files, archive/tar did
not set a limit on the size of the sparse region data. A malicious
archive containing a large number of sparse blocks could cause
archive/tar to read an unbounded amount of data from the archive
into memory.

Since a malicious input can be highly compressable, a small
compressed input could cause very large allocations.

Cap the size of the sparse block data to the same limit used
for PAX headers (1 MiB).

Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
for reporting this issue.

Fixes CVE-2025-58183
For #75677
Fixes #75711
Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
  • M src/archive/tar/common.go
  • M src/archive/tar/reader.go
  • M src/archive/tar/reader_test.go
  • A src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
Change size: S
Delta: 4 files changed, 13 insertions(+), 2 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Carlos Amedee
  • requirement satisfiedTryBots-Pass: TryBot-Bypass+1 by Michael Pratt
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: release-branch.go1.25
Gerrit-Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
Gerrit-Change-Number: 709852
open
diffy
satisfied_requirement

Gopher Robot (Gerrit)

unread,
Oct 7, 2025, 3:46:40 PM (16 hours ago) Oct 7
to Michael Pratt, Damien Neil, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
archive/tar: set a limit on the size of GNU sparse file 1.0 regions


Sparse files in tar archives contain only the non-zero components
of the file. There are several different encodings for sparse
files. When reading GNU tar pax 1.0 sparse files, archive/tar did
not set a limit on the size of the sparse region data. A malicious
archive containing a large number of sparse blocks could cause
archive/tar to read an unbounded amount of data from the archive
into memory.

Since a malicious input can be highly compressable, a small
compressed input could cause very large allocations.

Cap the size of the sparse block data to the same limit used
for PAX headers (1 MiB).

Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
for reporting this issue.

Fixes CVE-2025-58183
Fixes #75677
Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
  • M src/archive/tar/common.go
  • M src/archive/tar/reader.go
  • M src/archive/tar/reader_test.go
  • A src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
Change size: S
Delta: 4 files changed, 13 insertions(+), 2 deletions(-)
Branch: refs/heads/master
Submit Requirements:
    • requirement satisfiedCode-Review: +2 by Carlos Amedee
    • requirement satisfiedTryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI, TryBot-Bypass+1 by Michael Pratt
    Open in Gerrit
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: merged
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
    Gerrit-Change-Number: 709861
    Gerrit-PatchSet: 2
    Gerrit-Owner: Michael Pratt <mpr...@google.com>
    Gerrit-Reviewer: Carlos Amedee <car...@golang.org>
    open
    diffy
    satisfied_requirement
    Reply all
    Reply to author
    Forward
    0 new messages