Bug 2407258 (CVE-2025-58183)
| Summary: | CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU sparse map | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abarbaro, akostadi, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, aoconnor, asatyam, bbrownin, bdettelb, bniver, bparees, brainfor, dhanak, diagrawa, dmayorov, doconnor, drosa, dsimansk, dymurray, eglynn, fdeutsch, flucifre, gmeno, gparvin, groman, hasun, ibolton, jbalunas, jcantril, jchui, jfula, jhe, jjoyce, jkoehler, jlledo, jmatthew, jmontleo, jowilson, jprabhak, jschluet, kingland, ktsao, kverlaen, lball, lchilton, ldai, lgamliel, lhh, lphiri, lsharar, lsvaty, lucarval, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, mwringe, nboldt, ngough, nyancey, ometelka, oramraz, owatkins, pahickey, pantinor, peholase, pgaikwad, pgrist, pjindal, psrna, ptisnovs, rfreiman, rhaigner, rjohnson, rojacob, sabiswas, sausingh, sdawley, sfeifer, slucidi, smullick, sostapov, sseago, stirabos, syedriko, teagle, thason, tsedmik, vereddy, veshanka, whayutin, wtam, xdharmai |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2408921, 2408923, 2408925, 2408927, 2412476, 2412477, 2412478, 2412479, 2412480, 2412481, 2412482, 2412483, 2412484, 2412485, 2412486, 2412487, 2412488, 2412489, 2412490, 2412491, 2412492, 2412493, 2412494, 2412495, 2412496, 2412497, 2412498, 2412499, 2412513, 2412514, 2412515, 2412516, 2412517, 2412518, 2412521, 2412522, 2412523, 2412527, 2412528, 2412531, 2412532, 2412533, 2412534, 2412535, 2412536, 2412537, 2412538, 2412539, 2412540, 2412541, 2412542, 2412543, 2412544, 2412545, 2412546, 2412547, 2412548, 2412549, 2412550, 2412551, 2412552, 2412553, 2412554, 2412556, 2412557, 2412558, 2412559, 2412560, 2412561, 2412562, 2412563, 2412564, 2412565, 2412566, 2412567, 2412571, 2412572, 2412573, 2412574, 2412575, 2412576, 2412577, 2412578, 2412579, 2412580, 2412581, 2412583, 2412584, 2412585, 2412586, 2412591, 2412592, 2412593, 2412594, 2412595, 2412596, 2412597, 2412598, 2412599, 2412600, 2412602, 2412603, 2412604, 2412605, 2412606, 2412607, 2412608, 2412609, 2412610, 2412612, 2412647, 2412653, 2412654, 2412656, 2412657, 2412658, 2412659, 2412660, 2412661, 2412666, 2412668, 2412669, 2412670, 2412673, 2412674, 2412675, 2412679, 2412680, 2412683, 2412684, 2412685, 2412686, 2412687, 2412688, 2412689, 2412690, 2412691, 2412692, 2412693, 2412694, 2412696, 2412697, 2412698, 2412699, 2412700, 2412701, 2412702, 2412703, 2412704, 2412705, 2412707, 2412708, 2412709, 2412710, 2412711, 2412712, 2412713, 2412745, 2412746, 2412747, 2412748, 2412749, 2412752, 2412753, 2412754, 2412755, 2412759, 2412760, 2412763, 2412764, 2412765, 2412766, 2412767, 2412768, 2412769, 2412770, 2412771, 2412772, 2412773, 2412774, 2412775, 2412776, 2412777, 2412778, 2412779, 2412780, 2412781, 2412782, 2412783, 2412784, 2412785, 2412786, 2412787, 2412789, 2412790, 2412791, 2412792, 2412794, 2412795, 2412796, 2412797, 2412798, 2412799, 2412800, 2412801, 2412806, 2412807, 2412808, 2412809, 2412810, 2412811, 2412812, 2412813, 2412814, 2412815, 2412816, 2412817, 2412819, 2412820, 2412821, 2412822, 2412823, 2412824, 2412826, 2412848, 2412850, 2412853, 2408915, 2408917, 2408919, 2412509, 2412510, 2412511, 2412519, 2412520, 2412524, 2412525, 2412526, 2412529, 2412530, 2412555, 2412568, 2412569, 2412570, 2412582, 2412587, 2412588, 2412589, 2412590, 2412601, 2412611, 2412613, 2412662, 2412663, 2412664, 2412665, 2412667, 2412671, 2412672, 2412676, 2412677, 2412678, 2412681, 2412682, 2412706, 2412744, 2412750, 2412751, 2412756, 2412757, 2412758, 2412761, 2412762, 2412788, 2412802, 2412803, 2412804, 2412805, 2412818, 2412825 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-10-29 23:02:14 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2025:21779 https://access.redhat.com/errata/RHSA-2025:21779 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2025:21778 https://access.redhat.com/errata/RHSA-2025:21778 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:21816 https://access.redhat.com/errata/RHSA-2025:21816 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:21815 https://access.redhat.com/errata/RHSA-2025:21815 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:21856 https://access.redhat.com/errata/RHSA-2025:21856 |