blob: 667763844d190d56ec450e8101dbef38de3e2909 [file] [log] [blame]
id: GO-2022-1037
modules:
- module: std
versions:
- fixed: 1.18.7
- introduced: 1.19.0-0
fixed: 1.19.2
vulnerable_at: 1.19.1
packages:
- package: archive/tar
symbols:
- Reader.next
- parsePAX
- Writer.writePAXHeader
derived_symbols:
- Reader.Next
- Writer.WriteHeader
summary: Unbounded memory consumption when reading headers in archive/tar
description: |-
Reader.Read does not set a limit on the maximum size of file headers. A
maliciously crafted archive could cause Read to allocate unbounded amounts of
memory, potentially causing resource exhaustion or panics. After fix,
Reader.Read limits the maximum size of header blocks to 1 MiB.
credits:
- Adam Korczynski (ADA Logics)
- OSS-Fuzz
references:
- report: https://go.dev/issue/54853
- fix: https://go.dev/cl/439355
- web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
cve_metadata:
id: CVE-2022-2879
cwe: 'CWE 400: Uncontrolled Resource Consumption'
references:
- https://security.gentoo.org/glsa/202311-09