Bug 2407258 (CVE-2025-58183) - CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU sparse map
Summary: CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU spa...
Keywords:
Status: NEW
Alias: CVE-2025-58183
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2408921 2408923 2408925 2408927 2412476 2412477 2412478 2412479 2412480 2412481 2412482 2412483 2412484 2412485 2412486 2412487 2412488 2412489 2412490 2412491 2412492 2412493 2412494 2412495 2412496 2412497 2412498 2412499 2412513 2412514 2412515 2412516 2412517 2412518 2412521 2412522 2412523 2412527 2412528 2412531 2412532 2412533 2412534 2412535 2412536 2412537 2412538 2412539 2412540 2412541 2412542 2412543 2412544 2412545 2412546 2412547 2412548 2412549 2412550 2412551 2412552 2412553 2412554 2412555 2412556 2412557 2412558 2412559 2412560 2412561 2412562 2412563 2412564 2412565 2412566 2412567 2412571 2412572 2412573 2412574 2412575 2412576 2412577 2412578 2412579 2412580 2412581 2412583 2412584 2412585 2412586 2412591 2412592 2412593 2412594 2412595 2412596 2412597 2412598 2412599 2412600 2412602 2412603 2412604 2412605 2412606 2412607 2412608 2412609 2412610 2412612 2412647 2412653 2412654 2412656 2412657 2412658 2412659 2412660 2412661 2412666 2412668 2412669 2412670 2412673 2412674 2412675 2412679 2412680 2412683 2412684 2412685 2412686 2412687 2412688 2412689 2412690 2412691 2412692 2412693 2412694 2412696 2412697 2412698 2412699 2412700 2412701 2412702 2412703 2412704 2412705 2412706 2412707 2412708 2412709 2412710 2412711 2412712 2412713 2412745 2412746 2412747 2412748 2412749 2412752 2412753 2412754 2412755 2412759 2412760 2412763 2412764 2412765 2412766 2412767 2412768 2412769 2412770 2412771 2412772 2412773 2412774 2412775 2412776 2412777 2412778 2412779 2412780 2412781 2412782 2412783 2412784 2412785 2412786 2412787 2412788 2412789 2412790 2412791 2412792 2412794 2412795 2412796 2412797 2412798 2412799 2412800 2412801 2412806 2412807 2412808 2412809 2412810 2412811 2412812 2412813 2412814 2412815 2412816 2412817 2412819 2412820 2412821 2412822 2412823 2412824 2412826 2412848 2412850 2412853 2408915 2408917 2408919 2412509 2412510 2412511 2412519 2412520 2412524 2412525 2412526 2412529 2412530 2412568 2412569 2412570 2412582 2412587 2412588 2412589 2412590 2412601 2412611 2412613 2412662 2412663 2412664 2412665 2412667 2412671 2412672 2412676 2412677 2412678 2412681 2412682 2412744 2412750 2412751 2412756 2412757 2412758 2412761 2412762 2412802 2412803 2412804 2412805 2412818 2412825
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-29 23:02 UTC by OSIDB Bzimport
Modified: 2025-11-13 16:28 UTC (History)
100 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-29 23:02:14 UTC 
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.
Note You need to log in before you can comment on or make changes to this bug.