Bug 2132867 (CVE-2022-2879) - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
Summary: CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-2879
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2138891 2132878 2132879 2133915 2133916 2133917 2133918 2133919 2133920 2133922 2133923 2133924 2134345 2134405 2134406 2134407 2134441 2134442 2134443 2134445 2134446 2134447 2134448 2134449 2134450 2134453 2134454 2134455 2134456 2134457 2134467 2134468 2136717 2136718 2136719 2136720 2136721 2136722 2136723 2136835 2136839 2136841 2136843 2136849
Blocks: 2132475
TreeView+ depends on / blocked
 
Reported: 2022-10-07 04:49 UTC by Avinash Hanwate
Modified: 2024-04-02 15:27 UTC (History)
105 users (show)

Fixed In Version: go 1.19.2, go 1.18.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
Clone Of:
Environment:
Last Closed: 2023-03-09 05:24:18 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:37:27 UTC
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:37:53 UTC
Red Hat Product Errata RHSA-2023:0264 0 None None None 2023-01-19 11:04:35 UTC
Red Hat Product Errata RHSA-2023:0328 0 None None None 2023-01-23 15:20:28 UTC
Red Hat Product Errata RHSA-2023:0445 0 None None None 2023-01-25 08:31:06 UTC
Red Hat Product Errata RHSA-2023:0446 0 None None None 2023-01-25 09:15:59 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:20:50 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:18:02 UTC
Red Hat Product Errata RHSA-2023:0708 0 None None None 2023-02-09 09:26:09 UTC
Red Hat Product Errata RHSA-2023:0709 0 None None None 2023-02-09 12:05:35 UTC
Red Hat Product Errata RHSA-2023:0727 0 None None None 2023-02-16 14:14:19 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:40:50 UTC
Red Hat Product Errata RHSA-2023:1079 0 None None None 2023-03-06 16:24:47 UTC
Red Hat Product Errata RHSA-2023:1174 0 None None None 2023-03-09 01:25:07 UTC
Red Hat Product Errata RHSA-2023:2204 0 None None None 2023-05-09 07:17:47 UTC
Red Hat Product Errata RHSA-2023:2780 0 None None None 2023-05-16 08:11:42 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:26 UTC
Red Hat Product Errata RHSA-2023:3613 0 None None None 2023-06-26 01:16:00 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:51:58 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:08 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:27:50 UTC

Description Avinash Hanwate 2022-10-07 04:49:22 UTC 
Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB.

Ref: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
Comment 1 Avinash Hanwate 2022-10-07 05:06:04 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2132878]
Affects: fedora-all [bug 2132879]
Comment 10 TEJ RATHI 2022-10-13 13:33:07 UTC 
References:
https://github.com/golang/go/issues/54853

Upstream Commits:
Master : https://github.com/golang/go/commit/0bf7ee9977c0218562c50a0b0f0d9cbdf33f65e6
branch.go1.18 : https://github.com/golang/go/commit/0a723816cd205576945fa57fbdde7e6532d59d08
branch.go1.19 : https://github.com/golang/go/commit/4fa773cdefd20be093c84f731be7d4febf5536fa
Comment 16 errata-xmlrpc 2022-12-08 07:37:47 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
Comment 30 errata-xmlrpc 2023-01-17 19:37:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
Comment 31 errata-xmlrpc 2023-01-19 11:04:29 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
Comment 35 errata-xmlrpc 2023-01-23 15:20:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0328 https://access.redhat.com/errata/RHSA-2023:0328
Comment 36 errata-xmlrpc 2023-01-25 08:31:00 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:0445 https://access.redhat.com/errata/RHSA-2023:0445
Comment 37 errata-xmlrpc 2023-01-25 09:15:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0446 https://access.redhat.com/errata/RHSA-2023:0446
Comment 38 errata-xmlrpc 2023-01-30 17:20:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
Comment 46 errata-xmlrpc 2023-02-09 02:17:56 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 47 errata-xmlrpc 2023-02-09 09:26:05 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708
Comment 48 errata-xmlrpc 2023-02-09 12:05:30 UTC 
This issue has been addressed in the following products:

  RHOSS-1.27-RHEL-8

Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709
Comment 49 errata-xmlrpc 2023-02-16 14:14:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0727 https://access.redhat.com/errata/RHSA-2023:0727
Comment 51 errata-xmlrpc 2023-03-06 16:24:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1079 https://access.redhat.com/errata/RHSA-2023:1079
Comment 52 errata-xmlrpc 2023-03-06 18:40:46 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 53 errata-xmlrpc 2023-03-09 01:25:02 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1174 https://access.redhat.com/errata/RHSA-2023:1174
Comment 54 Product Security DevOps Team 2023-03-09 05:24:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2879
Comment 55 errata-xmlrpc 2023-05-09 07:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204
Comment 56 errata-xmlrpc 2023-05-16 08:11:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780
Comment 57 errata-xmlrpc 2023-05-18 02:55:22 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 58 errata-xmlrpc 2023-06-22 19:51:52 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 59 errata-xmlrpc 2023-06-26 01:15:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
Comment 60 errata-xmlrpc 2023-07-10 08:51:04 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 62 errata-xmlrpc 2024-01-10 11:27:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
Note You need to log in before you can comment on or make changes to this bug.