Skip to content

archive/tar: unbounded memory consumption when reading headers #54853

New issue
New issue
Closed
Closed
archive/tar: unbounded memory consumption when reading headers#54853
Assignees
rolandshoemaker
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.20
@neild

Description

@neild
neild
opened on Sep 3, 2022

Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

Metadata

Metadata

Assignees

Labels

FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions