mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
go/src/archive
History
Damien Neil 0bf7ee9977 archive/tar: limit size of headers 
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
For #54853

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/439355
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
 		2022-10-05 20:40:43 +00:00
..
tar archive/tar: limit size of headers 2022-10-05 20:40:43 +00:00
zip archive/zip: use strings.TrimPrefix 2022-09-29 20:45:56 +00:00