[scarthgap,v2,04/41] go: fix CVE-2025-58183

Message ID	e0285488a93cf3b369ad7424d55938791f57174f.1782252148.git.yoann.congal@smile.fr
State	New
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.128.51, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap v2 04/41] go: fix CVE-2025-58183 Date: Wed, 24 Jun 2026 00:26:03 +0200 Message-ID: <e0285488a93cf3b369ad7424d55938791f57174f.1782252148.git.yoann.congal@smile.fr> In-Reply-To: <cover.1782252148.git.yoann.congal@smile.fr> References: <cover.1782252148.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,v2,01/41] pseudo: Update to version 1.9.8 \| expand [scarthgap,v2,01/41] pseudo: Update to version 1.9.8 [scarthgap,v2,02/41] openssh: fix CVE-2026-35386 [scarthgap,v2,03/41] tiff: fix CVE-2026-4775 [scarthgap,v2,04/41] go: fix CVE-2025-58183 [scarthgap,v2,05/41] go: fix CVE-2026-25679 [scarthgap,v2,06/41] go: fix CVE-2026-32288 [scarthgap,v2,07/41] binutils: Fix CVE-2025-69644 [scarthgap,v2,08/41] python3: Fix CVE-2026-3644 and CVE-2026-0672 [scarthgap,v2,09/41] python3: Fix CVE-2026-4519 and CVE-2026-4786 [scarthgap,v2,10/41] python3: Fix CVE-2026-6019 [scarthgap,v2,11/41] python3: Fix CVE-2025-13462 [scarthgap,v2,12/41] qemu: Fix CVE-2024-6519 [scarthgap,v2,13/41] dpkg: Fix CVE-2026-2219 [scarthgap,v2,14/41] libsolv: fix CVE-2026-9150 [scarthgap,v2,15/41] openssl: upgrade 3.5.6 -> 3.5.7 [scarthgap,v2,16/41] libinput: fix for CVE-2026-50292 [scarthgap,v2,17/41] gdb: backport a patch to fix static_assert in recent GCC [scarthgap,v2,18/41] oeqa/core/runner: stub addDuration in OETestResult [scarthgap,v2,19/41] classes/gtk-icon-cache: fix libdir passed to the postrm intercept [scarthgap,v2,20/41] python3: CVE-2026-3087 not applicable [scarthgap,v2,21/41] bzip2: set CVE_PRODUCT [scarthgap,v2,22/41] apr-util: Add CVE_PRODUCT to support product name [scarthgap,v2,23/41] apr: Add CVE_PRODUCT to support product name [scarthgap,v2,24/41] go-binary-native: set status for CVE-2026-39836 [scarthgap,v2,25/41] go: set status for CVE-2026-39836 [scarthgap,v2,26/41] rust,libstd-rs: set status for CVE-2024-3566 [scarthgap,v2,27/41] oeqa/runtime/parselogs: update pci BAR ignore for kernel 6.10 [scarthgap,v2,28/41] linux-yocto/6.6: update to v6.6.129 [scarthgap,v2,29/41] linux-yocto/6.6: update to v6.6.130 [scarthgap,v2,30/41] linux-yocto/6.6: update to v6.6.132 [scarthgap,v2,31/41] linux-yocto/6.6: update to v6.6.134 [scarthgap,v2,32/41] linux-yocto/6.6: update to v6.6.135 [scarthgap,v2,33/41] linux-yocto/6.6: update to v6.6.136 [scarthgap,v2,34/41] linux-yocto/6.6: update to v6.6.137 [scarthgap,v2,35/41] linux-yocto/6.6: update to v6.6.138 [scarthgap,v2,36/41] linux-yocto/6.6: update to v6.6.140 [scarthgap,v2,37/41] linux-yocto/6.6: update to v6.6.141 [scarthgap,v2,38/41] linux-yocto/6.6: update to v6.6.142 [scarthgap,v2,39/41] lttng-modules: Fix trace_hrtimer_start build failure [scarthgap,v2,40/41] linux-yocto/6.6: genericarm64 fix configuration audit warning [scarthgap,v2,41/41] linux-yocto/6.6: address ltp hang

Message ID

e0285488a93cf3b369ad7424d55938791f57174f.1782252148.git.yoann.congal@smile.fr

State

New

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap v2 04/41] go: fix CVE-2025-58183
Date: Wed, 24 Jun 2026 00:26:03 +0200
Message-ID: 
 <e0285488a93cf3b369ad7424d55938791f57174f.1782252148.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1782252148.git.yoann.congal@smile.fr>
References: <cover.1782252148.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,v2,01/41] pseudo: Update to version 1.9.8 | expand

Commit Message

Yoann Congal June 23, 2026, 10:26 p.m. UTC

From: Sudhir Dumbhare <sudumbha@cisco.com>

This patch applies the upstream fix [1], as referenced in [2],
to address unbounded memory consumption when reading GNU tar pax
1.0 sparse file regions in archive/tar.

[1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556
[2] https://security-tracker.debian.org/tracker/CVE-2025-58183

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-58183

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |   1 +
 .../go/go/CVE-2025-58183.patch                | 107 ++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58183.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 7016acd0616..f6feb1d0b5f 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -58,6 +58,7 @@  SRC_URI += "\
     file://CVE-2026-42501.patch \
     file://CVE-2026-42504.patch \
     file://CVE-2026-42507.patch \
+    file://CVE-2025-58183.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-58183.patch b/meta/recipes-devtools/go/go/CVE-2025-58183.patch
new file mode 100644
index 00000000000..51a4f02ddcd
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-58183.patch
@@ -0,0 +1,107 @@ 
+From c25bf45db0b232e8ad9d2bc53e61678ebc5efe90 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 11 Sep 2025 13:32:10 -0700
+Subject: [PATCH] [release-branch.go1.24] archive/tar: set a limit on the
+ size of GNU sparse file 1.0 regions
+
+Sparse files in tar archives contain only the non-zero components
+of the file. There are several different encodings for sparse
+files. When reading GNU tar pax 1.0 sparse files, archive/tar did
+not set a limit on the size of the sparse region data. A malicious
+archive containing a large number of sparse blocks could cause
+archive/tar to read an unbounded amount of data from the archive
+into memory.
+
+Since a malicious input can be highly compressable, a small
+compressed input could cause very large allocations.
+
+Cap the size of the sparse block data to the same limit used
+for PAX headers (1 MiB).
+
+Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
+for reporting this issue.
+
+Fixes CVE-2025-58183
+For #75677
+Fixes #75710
+
+CVE: CVE-2025-58183
+Upstream-Status: Backport [https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556]
+
+Backport Changes:
+- The upstream fix includes a testdata tarball as a git binary diff.
+  However, quilt cannot apply git binary diffs and fails with the error:
+  "File src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2:
+   git binary diffs are not supported."
+- As a result, the unnecessary bzip2 test file
+  src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
+  has been removed.
+- Furthermore, in src/archive/tar/reader_test.go, within the TestReader()
+  function, the test vector entry for testdata/gnu-sparse-many-zeros.tar.bz2
+  has been removed.
+
+Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2967
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709843
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+(cherry picked from commit 613e746327381d820759ebea6ce722720b343556)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ src/archive/tar/common.go | 1 +
+ src/archive/tar/reader.go | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go
+index 4910908f81e..ec1b8668547 100644
+--- a/src/archive/tar/common.go
++++ b/src/archive/tar/common.go
+@@ -38,6 +38,7 @@ var (
+ 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
+ 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
+ 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
++	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
+ )
+ 
+ type headerError []string
+diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
+index 0811779adda..71d0b20b76d 100644
+--- a/src/archive/tar/reader.go
++++ b/src/archive/tar/reader.go
+@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 		cntNewline int64
+ 		buf        bytes.Buffer
+ 		blk        block
++		totalSize  int
+ 	)
+ 
+ 	// feedTokens copies data in blocks from r into buf until there are
+ 	// at least cnt newlines in buf. It will not read more blocks than needed.
+ 	feedTokens := func(n int64) error {
+ 		for cntNewline < n {
++			totalSize += len(blk)
++			if totalSize > maxSpecialFileSize {
++				return errSparseTooLong
++			}
+ 			if _, err := mustReadFull(r, blk[:]); err != nil {
+ 				return err
+ 			}
+@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 	}
+ 
+ 	// Parse for all member entries.
+-	// numEntries is trusted after this since a potential attacker must have
+-	// committed resources proportional to what this library used.
++	// numEntries is trusted after this since feedTokens limits the number of
++	// tokens based on maxSpecialFileSize.
+ 	if err := feedTokens(2 * numEntries); err != nil {
+ 		return nil, err
+ 	}
+-- 
+2.35.6
+

[scarthgap,v2,04/41] go: fix CVE-2025-58183

Commit Message

Patch