From 79d42735a0f5bbfb3a33d6ffa9ca5062c76ea53b Mon Sep 17 00:00:00 2001
From: huzhangying <huzhangying@huawei.com>
Date: Fri, 7 Nov 2025 12:57:51 +0800
Subject: [PATCH 1/2] fix CVE-2025-58183

---
 ...chive-tar-set-a-limit-on-the-size-of.patch | 126 ++++++++++++++++++
 golang.spec                                   |   9 +-
 2 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 1009-CVE-2025-58183-archive-tar-set-a-limit-on-the-size-of.patch

diff --git a/1009-CVE-2025-58183-archive-tar-set-a-limit-on-the-size-of.patch b/1009-CVE-2025-58183-archive-tar-set-a-limit-on-the-size-of.patch
new file mode 100644
index 0000000..438850b
--- /dev/null
+++ b/1009-CVE-2025-58183-archive-tar-set-a-limit-on-the-size-of.patch
@@ -0,0 +1,126 @@
+From f7a68d3804efabd271f0338391858bc1e7e57422 Mon Sep 17 00:00:00 2001 
+From: Damien Neil <dneil@google.com> 
+Date: Thu, 11 Sep 2025 13:32:10 -0700 
+Subject: [PATCH] archive/tar: set a limit on the size of GNU
+ sparse file 1.0 regions
+
+Sparse files in tar archives contain only the non-zero components
+of the file. There are several different encodings for sparse
+files. When reading GNU tar pax 1.0 sparse files, archive/tar did
+not set a limit on the size of the sparse region data. A malicious
+archive containing a large number of sparse blocks could cause
+archive/tar to read an unbounded amount of data from the archive
+into memory.
+
+Since a malicious input can be highly compressable, a small
+compressed input could cause very large allocations.
+
+Cap the size of the sparse block data to the same limit used
+for PAX headers (1 MiB).
+
+Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
+for reporting this issue.
+
+Fixes CVE-2025-58183
+Fixes #75677
+
+Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709861
+Auto-Submit: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+---
+ src/archive/tar/common.go                        |   1 +
+ src/archive/tar/reader.go                        |   9 +++++++--
+ src/archive/tar/reader_test.go                   |   5 +++++
+ .../tar/testdata/gnu-sparse-many-zeros.tar.bz2   | Bin 0 -> 1642 bytes
+ 4 files changed, 13 insertions(+), 2 deletions(-)
+ create mode 100644 src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
+
+diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go
+index 7b3945f..ad31bbb 100644
+--- a/src/archive/tar/common.go
++++ b/src/archive/tar/common.go
+@@ -39,6 +39,7 @@ var (
+ 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
+ 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
+ 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
++	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
+ )
+ 
+ type headerError []string
+diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
+index 8483fb5..16ac2f5 100644
+--- a/src/archive/tar/reader.go
++++ b/src/archive/tar/reader.go
+@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 		cntNewline int64
+ 		buf        bytes.Buffer
+ 		blk        block
++		totalSize  int
+ 	)
+ 
+ 	// feedTokens copies data in blocks from r into buf until there are
+ 	// at least cnt newlines in buf. It will not read more blocks than needed.
+ 	feedTokens := func(n int64) error {
+ 		for cntNewline < n {
++			totalSize += len(blk)
++			if totalSize > maxSpecialFileSize {
++				return errSparseTooLong
++			}
+ 			if _, err := mustReadFull(r, blk[:]); err != nil {
+ 				return err
+ 			}
+@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 	}
+ 
+ 	// Parse for all member entries.
+-	// numEntries is trusted after this since a potential attacker must have
+-	// committed resources proportional to what this library used.
++	// numEntries is trusted after this since feedTokens limits the number of
++	// tokens based on maxSpecialFileSize.
+ 	if err := feedTokens(2 * numEntries); err != nil {
+ 		return nil, err
+ 	}
+diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go
+index 99340a3..fca53da 100644
+--- a/src/archive/tar/reader_test.go
++++ b/src/archive/tar/reader_test.go
+@@ -621,6 +621,11 @@ func TestReader(t *testing.T) {
+ 			},
+ 			Format: FormatPAX,
+ 		}},
++	}, {
++		// Small compressed file that uncompresses to
++		// a file with a very large GNU 1.0 sparse map.
++		file: "testdata/gnu-sparse-many-zeros.tar.bz2",
++		err:  errSparseTooLong,
+ 	}}
+ 
+ 	for _, v := range vectors {
+diff --git a/src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2 b/src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
+new file mode 100644
+index 0000000000000000000000000000000000000000..751d7fd4b68be1a7439413b4089dbbde33a2900a
+GIT binary patch
+literal 1642
+zcmZ>Y%CIzaj8qGb%wCwXiS2H0{DC_Y9GL$z2|RUTNGrcrz`)SKVZd<Pm@_!!*1Q&@
+z%!w@*7dt!qd^Kg6a@k960`ry24h#%TUdvZ5^YIbvY*1^stgI{ldo_CngS+^_C+6A;
+zGK>rPcO01{ps1pvVeGD$*OEWa_73ksV;zBwoQh0BPEH%vtSITeAlMvtlB3E`^y)8{
+zw~<bPl{Q`m@6Ki^CwRWL&05`|a`eF8>&+g8{-?Ahs_oW3u(QcHog6FpP~f~~=z-9g
+zf_wTZ7^XHZn&-}Zc8R{Fft9C2PEyk*pJkiw?fk^YcK6r>1_p%&1_y>jhFQI$94?0z
+za?Cl(nljTjt?TS76W-mu3JeU63=9nnhZs#ILKKBvodhkrxK0|)I$ibrgoSju6wr@N
+z42%qnElgP^KzXhfrD74$NvWo@w9QvsFnedxz`)4Dz{J4J!Ez-rpv4zx#WM|Ul~dWe
+zujeZ~$i0&Z3?dE&76vu}&J`B}T70wwI?n`zc}}^OvF6@lhub?YF)*+QFmN#NC<q6(
+zIthZTn6Y5ZWX(0(*VQyPZZBNIz`&uvAiyBuptcz3HiH#T>X1lVw7II6Iq$It1A~AA
+zg93v=gRdLVZlD!@quw8l{n5lfn)hi|^v!SyiA^y0F{gnCT=X?DusWMCWpyr3vv&I)
+ZCg2!yghOkJkj3svnul7NKE7EI0RUq%CTjoy
+
+literal 0
+HcmV?d00001
+
+-- 
+2.43.0
+
diff --git a/golang.spec b/golang.spec
index fedefcc..b7a96ad 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.24.2
-Release:        39
+Release:        40
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -133,6 +133,7 @@ Patch1006:	1006-CVE-2025-4674-disable-support-for-multiple-vcs-in-one-module.pat
 Patch1007:  1007-CVE-2025-22873-avoid-escape-from-Root-via-paths-endi.patch
 # Missing part of Patch1001
 Patch1008:  1008-cmd-internal-obj-enable-got-pcrel-itype-in-fips140-for-riscv64.patch
+Patch1009:      1009-CVE-2025-58183-archive-tar-set-a-limit-on-the-size-of.patch
 
 # Backport of RVA23
 Patch2001:	2001-cpu-internal-provide-runtime-detection-of-RISC-V-ext.patch
@@ -413,6 +414,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Fri Nov 7 2025 huzhangying <huzhangying@huawei.com> - 1.24.2-40
+- Type:CVE
+- CVE:CVE-2025-58183
+- SUG:NA
+- DESC:fix CVE-2025-58183
+
 * Thu Sep 25 2025 Julian Zhu <julian.oerv@isrc.iscas.ac.cn> - 1.24.2-39
 - Backport RISC-V RVA23 support
 
-- 
Gitee


From 8af5ec84af4797b678b3db5040cfc407163474d2 Mon Sep 17 00:00:00 2001
From: huzhangying <huzhangying@huawei.com>
Date: Fri, 7 Nov 2025 14:18:21 +0800
Subject: [PATCH 2/2] fix spec

---
 golang.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/golang.spec b/golang.spec
index b7a96ad..fcfc88c 100644
--- a/golang.spec
+++ b/golang.spec
@@ -133,7 +133,7 @@ Patch1006:	1006-CVE-2025-4674-disable-support-for-multiple-vcs-in-one-module.pat
 Patch1007:  1007-CVE-2025-22873-avoid-escape-from-Root-via-paths-endi.patch
 # Missing part of Patch1001
 Patch1008:  1008-cmd-internal-obj-enable-got-pcrel-itype-in-fips140-for-riscv64.patch
-Patch1009:      1009-CVE-2025-58183-archive-tar-set-a-limit-on-the-size-of.patch
+Patch1009:  1009-CVE-2025-58183-archive-tar-set-a-limit-on-the-size-of.patch
 
 # Backport of RVA23
 Patch2001:	2001-cpu-internal-provide-runtime-detection-of-RISC-V-ext.patch
-- 
Gitee