Bug 1204024 – VUL-0: CVE-2022-2879: go1.18,go1.19: archive/tar: unbounded memory consumption when reading headers

Bug 1204024 - (CVE-2022-2879) VUL-0: CVE-2022-2879: go1.18,go1.19: archive/tar: unbounded memory consumption when reading headers

(CVE-2022-2879)
Summary:	VUL-0: CVE-2022-2879: go1.18,go1.19: archive/tar: unbounded memory consumptio...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/344235/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-2879:7.5:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-10-04 21:16 UTC by Jeff Kowalczyk
Modified:	2022-12-05 14:20 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeff Kowalczyk 2022-10-04 21:16:37 UTC

Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

Comment 1 OBSbugzilla Bot 2022-10-05 03:35:08 UTC

This is an autogenerated message for OBS integration:
This bug (1204024) was mentioned in
https://build.opensuse.org/request/show/1008077 Factory / go1.18
https://build.opensuse.org/request/show/1008078 Factory / go1.19

Comment 3 Swamp Workflow Management 2022-10-20 01:20:28 UTC

SUSE-SU-2022:3669-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1200441,1204023,1204024,1204025
CVE References: CVE-2022-2879,CVE-2022-2880,CVE-2022-41715
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.19-1.19.2-150000.1.12.1
openSUSE Leap 15.3 (src):    go1.19-1.19.2-150000.1.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.19-1.19.2-150000.1.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.19-1.19.2-150000.1.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Swamp Workflow Management 2022-10-20 01:21:29 UTC

SUSE-SU-2022:3668-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1193742,1204023,1204024,1204025
CVE References: CVE-2022-2879,CVE-2022-2880,CVE-2022-41715
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    go1.18-1.18.7-150000.1.34.1
openSUSE Leap 15.3 (src):    go1.18-1.18.7-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    go1.18-1.18.7-150000.1.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.18-1.18.7-150000.1.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Marcus Meissner 2022-12-05 14:20:29 UTC

done