Patch skopeo for CVE-2025-58183

Author: azurelinux-security

SPECS/skopeo/CVE-2025-58183.patch

@@ -0,0 +1,67 @@
+From ae107b2e9910340a8f5faafb5f4316609991b507 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Mon, 17 Nov 2025 08:57:04 +0000
+Subject: [PATCH] archive/tar: set a limit on the size of GNU sparse file 1.0
+ regions
+
+Cap the size of the sparse block data to the same limit used for PAX headers (1 MiB).
+
+This is a port of upstream commit 2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3.
+
+Fixes CVE-2025-58183
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport from existing Build 984415 of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch
+---
+ vendor/github.com/vbatts/tar-split/archive/tar/common.go | 1 +
+ vendor/github.com/vbatts/tar-split/archive/tar/reader.go | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+index dee9e47..e687a08 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+@@ -34,6 +34,7 @@ var (
+ 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
+ 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
+ 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
++	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
+ )
+ 
+ type headerError []string
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+index 40f6c86..7a56fa1 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+@@ -576,12 +576,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 		cntNewline int64
+ 		buf        bytes.Buffer
+ 		blk        block
++		totalSize  int
+ 	)
+ 
+ 	// feedTokens copies data in blocks from r into buf until there are
+ 	// at least cnt newlines in buf. It will not read more blocks than needed.
+ 	feedTokens := func(n int64) error {
+ 		for cntNewline < n {
++			totalSize += len(blk)
++			if totalSize > maxSpecialFileSize {
++				return errSparseTooLong
++			}
+ 			if _, err := mustReadFull(r, blk[:]); err != nil {
+ 				return err
+ 			}
+@@ -614,8 +619,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 	}
+ 
+ 	// Parse for all member entries.
+-	// numEntries is trusted after this since a potential attacker must have
+-	// committed resources proportional to what this library used.
++	// numEntries is trusted after this since feedTokens limits the number of
++	// tokens based on maxSpecialFileSize.
+ 	if err := feedTokens(2 * numEntries); err != nil {
+ 		return nil, err
+ 	}
+-- 
+2.45.4
+

SPECS/skopeo/skopeo.spec

@@ -1,7 +1,7 @@
 Summary:        Inspect container images and repositories on registries
 Name:           skopeo
 Version:        1.14.4
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,6 +14,7 @@ Patch2:         CVE-2023-45288.patch
 Patch3:         CVE-2024-9676.patch
 Patch4:         CVE-2025-27144.patch
 Patch5:         CVE-2025-58058.patch
+Patch6:         CVE-2025-58183.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -52,6 +53,9 @@ make test-unit-local
 %{_mandir}/man1/%%{name}*
 
 %changelog
+* Mon Nov 17 2025 Azure Linux Security Servicing Account <[email protected]> - 1.14.4-7
+- Patch for CVE-2025-58183
+
 * Wed Sep 03 2025 Azure Linux Security Servicing Account <[email protected]> - 1.14.4-6
 - Patch for CVE-2025-58058