diff --git a/0133-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch b/0133-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch new file mode 100644 index 0000000000000000000000000000000000000000..9530ad070fa54cbb272fc8104515227385052521 --- /dev/null +++ b/0133-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch @@ -0,0 +1,90 @@ +From f7a68d3804efabd271f0338391858bc1e7e57422 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 11 Sep 2025 13:32:10 -0700 +Subject: [PATCH] archive/tar: set a limit on the size of GNU + sparse file 1.0 regions + +Sparse files in tar archives contain only the non-zero components +of the file. There are several different encodings for sparse +files. When reading GNU tar pax 1.0 sparse files, archive/tar did +not set a limit on the size of the sparse region data. A malicious +archive containing a large number of sparse blocks could cause +archive/tar to read an unbounded amount of data from the archive +into memory. + +Reference: https://go-review.googlesource.com/c/go/+/709861 +Conflict: no + +Since a malicious input can be highly compressable, a small +compressed input could cause very large allocations. + +Cap the size of the sparse block data to the same limit used +for PAX headers (1 MiB). + +Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/) +for reporting this issue. + +Fixes CVE-2025-58183 +Fixes #75677 + +Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709861 +Auto-Submit: Michael Pratt +TryBot-Bypass: Michael Pratt +Reviewed-by: Carlos Amedee +--- + src/archive/tar/common.go | 1 + + src/archive/tar/reader.go | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go +index dee9e47..e687a08 100644 +--- a/src/archive/tar/common.go ++++ b/src/archive/tar/common.go +@@ -34,6 +34,7 @@ var ( + errMissData = errors.New("archive/tar: sparse file references non-existent data") + errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data") + errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole") ++ errSparseTooLong = errors.New("archive/tar: sparse map too long") + ) + + type headerError []string +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index ec45ae3..ddc61de 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -519,12 +519,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + cntNewline int64 + buf bytes.Buffer + blk block ++ totalSize int + ) + + // feedTokens copies data in blocks from r into buf until there are + // at least cnt newlines in buf. It will not read more blocks than needed. + feedTokens := func(n int64) error { + for cntNewline < n { ++ totalSize += len(blk) ++ if totalSize > maxSpecialFileSize { ++ return errSparseTooLong ++ } + if _, err := mustReadFull(r, blk[:]); err != nil { + return err + } +@@ -557,8 +562,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + } + + // Parse for all member entries. +- // numEntries is trusted after this since a potential attacker must have +- // committed resources proportional to what this library used. ++ // numEntries is trusted after this since feedTokens limits the number of ++ // tokens based on maxSpecialFileSize. + if err := feedTokens(2 * numEntries); err != nil { + return nil, err + } +-- +2.43.0 + diff --git a/0134-CVE-2025-61724-net-textproto-avoid-quadratic-complexity.patch b/0134-CVE-2025-61724-net-textproto-avoid-quadratic-complexity.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d94c5441e418989b2459c927f58861ed96ea929 --- /dev/null +++ b/0134-CVE-2025-61724-net-textproto-avoid-quadratic-complexity.patch @@ -0,0 +1,70 @@ +From 5ede095649db7783726c28390812bca9ce2c684a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 30 Sep 2025 15:11:16 -0700 +Subject: [PATCH] net/textproto: avoid quadratic complexity in + Reader.ReadResponse + +Reader.ReadResponse constructed a response string from repeated +string concatenation, permitting a malicious sender to cause excessive +memory allocation and CPU consumption by sending a response consisting +of many short lines. + +Reference: https://go-review.googlesource.com/c/go/+/709859 +Conclict: no + +Use a strings.Builder to construct the string instead. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-61724 +Fixes #75716 + +Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709859 +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee +--- + src/net/textproto/reader.go | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index b377a7c..13819a5 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -289,8 +289,10 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err + // An expectCode <= 0 disables the check of the status code. + // + func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) { +- code, continued, message, err := r.readCodeLine(expectCode) ++ code, continued, first, err := r.readCodeLine(expectCode) + multi := continued ++ var messageBuilder strings.Builder ++ messageBuilder.WriteString(first) + for continued { + line, err := r.ReadLine() + if err != nil { +@@ -301,12 +303,15 @@ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err err + var moreMessage string + code2, continued, moreMessage, err = parseCodeLine(line, 0) + if err != nil || code2 != code { +- message += "\n" + strings.TrimRight(line, "\r\n") ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(strings.TrimRight(line, "\r\n")) + continued = true + continue + } +- message += "\n" + moreMessage ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(moreMessage) + } ++ message = messageBuilder.String() + if err != nil && multi && message != "" { + // replace one line error message with all lines (full message) + err = &Error{code, message} +-- +2.43.0 + diff --git a/golang.spec b/golang.spec index 5237e4f28a87b3356f4a707ac30ee03875968e44..e484354f0db766210de674547586acf6bde989dc 100644 --- a/golang.spec +++ b/golang.spec @@ -58,7 +58,7 @@ Name: golang Version: 1.15.7 -Release: 54 +Release: 55 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -274,6 +274,8 @@ Patch6129: 0129-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch Patch6130: 0130-CVE-2025-47907-database-sql-avoid-closing-Rows-while-scan-is-in-pro.patch Patch6131: 0131-CVE-2025-47906-os-exec-fix-incorrect-expansion-of-.-and-.-in-LookPa.patch Patch6132: 0132-backport-CVE-2025-22871-net-http-reject-newlines-in-chunk-siz.patch +Patch6133: 0133-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch +Patch6134: 0134-CVE-2025-61724-net-textproto-avoid-quadratic-complexity.patch Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch @@ -512,6 +514,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Sat Nov 8 2025 huzhangying - 1.15.7-55 +- Type:CVE +- CVE:CVE-2025-58183, CVE-2025-61724 +- SUG:NA +- DESC:fix CVE-2025-58183, CVE-2025-61724 + * Wed Aug 27 2025 songliyang - 1.15.7-54 - Type:CVE - CVE:CVE-2025-22871