2407258 – (CVE-2025-58183) CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU sparse map

Bug 2407258 (CVE-2025-58183) - CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU sparse map

Summary: CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU spa...

Keywords:
Status:	NEW
Alias:	CVE-2025-58183
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2408921 2408923 2408925 2408927 2412476 2412477 2412478 2412479 2412480 2412481 2412482 2412483 2412484 2412485 2412487 2412488 2412489 2412490 2412492 2412493 2412494 2412497 2412498 2412499 2412513 2412514 2412515 2412517 2412518 2412521 2412522 2412523 2412527 2412528 2412531 2412532 2412533 2412534 2412535 2412536 2412537 2412538 2412539 2412540 2412541 2412542 2412543 2412544 2412545 2412546 2412547 2412548 2412549 2412550 2412551 2412552 2412553 2412554 2412556 2412557 2412558 2412559 2412560 2412561 2412562 2412563 2412564 2412565 2412566 2412567 2412571 2412572 2412573 2412575 2412576 2412577 2412578 2412579 2412581 2412584 2412585 2412586 2412591 2412592 2412593 2412594 2412595 2412597 2412598 2412602 2412603 2412604 2412605 2412606 2412607 2412608 2412609 2412610 2412612 2412647 2412653 2412654 2412656 2412657 2412658 2412659 2412660 2412661 2412666 2412668 2412669 2412670 2412673 2412674 2412675 2412679 2412680 2412683 2412684 2412685 2412686 2412687 2412688 2412689 2412690 2412691 2412692 2412693 2412694 2412696 2412697 2412698 2412699 2412700 2412701 2412702 2412703 2412704 2412705 2412707 2412708 2412709 2412710 2412711 2412712 2412713 2412745 2412746 2412747 2412748 2412749 2412752 2412753 2412754 2412755 2412759 2412760 2412763 2412764 2412765 2412766 2412767 2412768 2412769 2412770 2412771 2412772 2412773 2412774 2412775 2412776 2412777 2412778 2412779 2412780 2412781 2412782 2412783 2412784 2412785 2412786 2412787 2412789 2412790 2412791 2412792 2412794 2412795 2412796 2412798 2412799 2412800 2412801 2412806 2412807 2412808 2412810 2412811 2412813 2412814 2412815 2412819 2412820 2412821 2412822 2412823 2412824 2412826 2412848 2412850 2412853 2408915 2408917 2408919 2412486 2412491 2412495 2412496 2412509 2412510 2412511 2412516 2412519 2412520 2412524 2412525 2412526 2412529 2412530 2412555 2412568 2412569 2412570 2412574 2412580 2412582 2412583 2412587 2412588 2412589 2412590 2412596 2412599 2412600 2412601 2412611 2412613 2412662 2412663 2412664 2412665 2412667 2412671 2412672 2412676 2412677 2412678 2412681 2412682 2412706 2412744 2412750 2412751 2412756 2412757 2412758 2412761 2412762 2412788 2412797 2412802 2412803 2412804 2412805 2412809 2412812 2412816 2412817 2412818 2412825
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-29 23:02 UTC by OSIDB Bzimport
Modified:	2025-12-11 00:54 UTC (History)
CC List:	100 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:21778	None	None	None	2025-11-20 00:28:09 UTC
Red Hat Product Errata	RHSA-2025:21779	None	None	None	2025-11-20 00:17:10 UTC
Red Hat Product Errata	RHSA-2025:21815	None	None	None	2025-11-20 06:28:42 UTC
Red Hat Product Errata	RHSA-2025:21816	None	None	None	2025-11-20 06:19:04 UTC
Red Hat Product Errata	RHSA-2025:21856	None	None	None	2025-11-20 15:42:55 UTC
Red Hat Product Errata	RHSA-2025:21964	None	None	None	2025-11-24 14:54:59 UTC
Red Hat Product Errata	RHSA-2025:22011	None	None	None	2025-11-25 05:17:12 UTC
Red Hat Product Errata	RHSA-2025:22012	None	None	None	2025-11-25 04:58:44 UTC
Red Hat Product Errata	RHSA-2025:22030	None	None	None	2025-11-25 07:55:08 UTC
Red Hat Product Errata	RHSA-2025:22181	None	None	None	2025-11-26 15:02:10 UTC
Red Hat Product Errata	RHSA-2025:22255	None	None	None	2025-12-02 14:39:34 UTC
Red Hat Product Errata	RHSA-2025:22668	None	None	None	2025-12-03 14:49:34 UTC
Red Hat Product Errata	RHSA-2025:22899	None	None	None	2025-12-09 08:00:25 UTC
Red Hat Product Errata	RHSA-2025:23001	None	None	None	2025-12-10 00:31:33 UTC
Red Hat Product Errata	RHSA-2025:23002	None	None	None	2025-12-10 01:06:09 UTC
Red Hat Product Errata	RHSA-2025:23087	None	None	None	2025-12-11 00:54:19 UTC
Red Hat Product Errata	RHSA-2025:23088	None	None	None	2025-12-11 00:25:41 UTC

Description OSIDB Bzimport 2025-10-29 23:02:14 UTC

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Comment 2 errata-xmlrpc 2025-11-20 00:17:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:21779 https://access.redhat.com/errata/RHSA-2025:21779

Comment 3 errata-xmlrpc 2025-11-20 00:28:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21778 https://access.redhat.com/errata/RHSA-2025:21778

Comment 4 errata-xmlrpc 2025-11-20 06:18:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21816 https://access.redhat.com/errata/RHSA-2025:21816

Comment 5 errata-xmlrpc 2025-11-20 06:28:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21815 https://access.redhat.com/errata/RHSA-2025:21815

Comment 6 errata-xmlrpc 2025-11-20 15:42:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:21856 https://access.redhat.com/errata/RHSA-2025:21856

Comment 7 errata-xmlrpc 2025-11-24 14:54:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21964 https://access.redhat.com/errata/RHSA-2025:21964

Comment 8 errata-xmlrpc 2025-11-25 04:58:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:22012 https://access.redhat.com/errata/RHSA-2025:22012

Comment 9 errata-xmlrpc 2025-11-25 05:17:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:22011 https://access.redhat.com/errata/RHSA-2025:22011

Comment 10 errata-xmlrpc 2025-11-25 07:55:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:22030 https://access.redhat.com/errata/RHSA-2025:22030

Comment 11 errata-xmlrpc 2025-11-26 15:02:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:22181 https://access.redhat.com/errata/RHSA-2025:22181

Comment 12 errata-xmlrpc 2025-12-02 14:39:27 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.20

Via RHSA-2025:22255 https://access.redhat.com/errata/RHSA-2025:22255

Comment 13 errata-xmlrpc 2025-12-03 14:49:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:22668 https://access.redhat.com/errata/RHSA-2025:22668

Comment 14 errata-xmlrpc 2025-12-09 08:00:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:22899 https://access.redhat.com/errata/RHSA-2025:22899

Comment 15 errata-xmlrpc 2025-12-10 00:31:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:23001 https://access.redhat.com/errata/RHSA-2025:23001

Comment 16 errata-xmlrpc 2025-12-10 01:06:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:23002 https://access.redhat.com/errata/RHSA-2025:23002

Comment 17 errata-xmlrpc 2025-12-11 00:25:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:23088 https://access.redhat.com/errata/RHSA-2025:23088

Comment 18 errata-xmlrpc 2025-12-11 00:54:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:23087 https://access.redhat.com/errata/RHSA-2025:23087

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
akostadi
alcohan
alizardo
amasferr
amctagga
anjoseph
anpicker
ansmith
aoconnor
asatyam
bbrownin
bdettelb
bniver
bparees
brainfor
dhanak
diagrawa
dmayorov
doconnor
drosa
dsimansk
dymurray
eglynn
fdeutsch
flucifre
gmeno
gparvin
groman
hasun
ibolton
jbalunas
jcantril
jchui
jfula
jhe
jjoyce
jkoehler
jlledo
jmatthew
jmontleo
jowilson
jprabhak
jschluet
kingland
ktsao
kverlaen
lball
lchilton
ldai
lgamliel
lhh
lphiri
lsharar
lsvaty
lucarval
manissin
matzew
mbenjamin
mburns
mgarciac
mhackett
mnovotny
mwringe
nboldt
ngough
nyancey
ometelka
oramraz
owatkins
pahickey
pantinor
peholase
pgaikwad
pgrist
pjindal
psrna
ptisnovs
rfreiman
rhaigner
rjohnson
rojacob
sabiswas
sausingh
sdawley
sfeifer
slucidi
smullick
sostapov
sseago
stirabos
syedriko
teagle
thason
tsedmik
vereddy
veshanka
whayutin
wtam
xdharmai