Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Ref: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
Created golang tracking bugs for this issue: Affects: epel-all [bug 2132878] Affects: fedora-all [bug 2132879]
References: https://github.com/golang/go/issues/54853 Upstream Commits: Master : https://github.com/golang/go/commit/0bf7ee9977c0218562c50a0b0f0d9cbdf33f65e6 branch.go1.18 : https://github.com/golang/go/commit/0a723816cd205576945fa57fbdde7e6532d59d08 branch.go1.19 : https://github.com/golang/go/commit/4fa773cdefd20be093c84f731be7d4febf5536fa
This issue has been addressed in the following products: RHOL-5.5-RHEL-8 Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0328 https://access.redhat.com/errata/RHSA-2023:0328
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:0445 https://access.redhat.com/errata/RHSA-2023:0445
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0446 https://access.redhat.com/errata/RHSA-2023:0446
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708
This issue has been addressed in the following products: RHOSS-1.27-RHEL-8 Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:0727 https://access.redhat.com/errata/RHSA-2023:0727
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:1079 https://access.redhat.com/errata/RHSA-2023:1079
This issue has been addressed in the following products: OpenShift Custom Metrics Autoscaler 2 Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:1174 https://access.redhat.com/errata/RHSA-2023:1174
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2879
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780
This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
This issue has been addressed in the following products: Service Interconnect 1 for RHEL 8 Service Interconnect 1 for RHEL 9 Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121