| id: GO-2022-1037 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.18.7 |
| - introduced: 1.19.0-0 |
| - fixed: 1.19.2 |
| vulnerable_at: 1.19.1 |
| packages: |
| - package: archive/tar |
| symbols: |
| - Reader.next |
| - parsePAX |
| - Writer.writePAXHeader |
| derived_symbols: |
| - Reader.Next |
| - Writer.WriteHeader |
| summary: Unbounded memory consumption when reading headers in archive/tar |
| description: |- |
| Reader.Read does not set a limit on the maximum size of file headers. A |
| maliciously crafted archive could cause Read to allocate unbounded amounts of |
| memory, potentially causing resource exhaustion or panics. After fix, |
| Reader.Read limits the maximum size of header blocks to 1 MiB. |
| credits: |
| - Adam Korczynski (ADA Logics) |
| - OSS-Fuzz |
| references: |
| - report: https://go.dev/issue/54853 |
| - fix: https://go.dev/cl/439355 |
| - web: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU |
| cve_metadata: |
| id: CVE-2022-2879 |
| cwe: 'CWE 400: Uncontrolled Resource Consumption' |
| references: |
| - https://security.gentoo.org/glsa/202311-09 |
| review_status: REVIEWED |