diff --git a/SPECS/skopeo/CVE-2025-58183.patch b/SPECS/skopeo/CVE-2025-58183.patch new file mode 100644 index 00000000000..40b13c8cf32 --- /dev/null +++ b/SPECS/skopeo/CVE-2025-58183.patch @@ -0,0 +1,67 @@ +From ae107b2e9910340a8f5faafb5f4316609991b507 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 17 Nov 2025 08:57:04 +0000 +Subject: [PATCH] archive/tar: set a limit on the size of GNU sparse file 1.0 + regions + +Cap the size of the sparse block data to the same limit used for PAX headers (1 MiB). + +This is a port of upstream commit 2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3. + +Fixes CVE-2025-58183 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from existing Build 984415 of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch +--- + vendor/github.com/vbatts/tar-split/archive/tar/common.go | 1 + + vendor/github.com/vbatts/tar-split/archive/tar/reader.go | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go +index dee9e47..e687a08 100644 +--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go ++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go +@@ -34,6 +34,7 @@ var ( + errMissData = errors.New("archive/tar: sparse file references non-existent data") + errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data") + errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole") ++ errSparseTooLong = errors.New("archive/tar: sparse map too long") + ) + + type headerError []string +diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go +index 40f6c86..7a56fa1 100644 +--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go ++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go +@@ -576,12 +576,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + cntNewline int64 + buf bytes.Buffer + blk block ++ totalSize int + ) + + // feedTokens copies data in blocks from r into buf until there are + // at least cnt newlines in buf. It will not read more blocks than needed. + feedTokens := func(n int64) error { + for cntNewline < n { ++ totalSize += len(blk) ++ if totalSize > maxSpecialFileSize { ++ return errSparseTooLong ++ } + if _, err := mustReadFull(r, blk[:]); err != nil { + return err + } +@@ -614,8 +619,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + } + + // Parse for all member entries. +- // numEntries is trusted after this since a potential attacker must have +- // committed resources proportional to what this library used. ++ // numEntries is trusted after this since feedTokens limits the number of ++ // tokens based on maxSpecialFileSize. + if err := feedTokens(2 * numEntries); err != nil { + return nil, err + } +-- +2.45.4 + diff --git a/SPECS/skopeo/skopeo.spec b/SPECS/skopeo/skopeo.spec index 9e066aa2168..59b82b9c0ae 100644 --- a/SPECS/skopeo/skopeo.spec +++ b/SPECS/skopeo/skopeo.spec @@ -1,7 +1,7 @@ Summary: Inspect container images and repositories on registries Name: skopeo Version: 1.14.4 -Release: 6%{?dist} +Release: 7%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -14,6 +14,7 @@ Patch2: CVE-2023-45288.patch Patch3: CVE-2024-9676.patch Patch4: CVE-2025-27144.patch Patch5: CVE-2025-58058.patch +Patch6: CVE-2025-58183.patch %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath @@ -52,6 +53,9 @@ make test-unit-local %{_mandir}/man1/%%{name}* %changelog +* Mon Nov 17 2025 Azure Linux Security Servicing Account - 1.14.4-7 +- Patch for CVE-2025-58183 + * Wed Sep 03 2025 Azure Linux Security Servicing Account - 1.14.4-6 - Patch for CVE-2025-58058