Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/tar: malformed input causes panic in parsePAXRecord [1.15 backport] #44183

Closed
gopherbot opened this issue Feb 9, 2021 · 2 comments
Closed

archive/tar: malformed input causes panic in parsePAXRecord [1.15 backport] #44183

gopherbot opened this issue Feb 9, 2021 · 2 comments
Labels
FrozenDueToAge
Milestone
Go1.15.10

Comments

@gopherbot
Copy link

@odeke-em requested issue #40196 to be considered for backport to the next 1.15 minor release.

@gopherbot please backport this issue as it is a security problem and has existed since for the past 8 years as per https://codereview.appspot.com/6700047.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Feb 9, 2021
@gopherbot gopherbot mentioned this issue Feb 9, 2021
Closed
@gopherbot gopherbot added this to the Go1.15.9 milestone Feb 9, 2021
@gopherbot
Copy link
Author

Change https://golang.org/cl/290650 mentions this issue: [release-branch.go1.15] archive/tar: detect out of bounds accesses in PAX records resulting from padded lengths

@dmitshur
Copy link
Contributor

Thanks for making this backport request. This bug is not considered a security problem and has been around for many years before it was first reported. There is a really good workaround: to catch the possible panic when handling untrusted tar input.

This isn't meeting the criteria for backport to Go 1.15 and 1.14, so we'll leave the fix for Go 1.16 and onwards.

@dmitshur dmitshur mentioned this issue Feb 11, 2021
Closed
@dmitshur dmitshur removed the CherryPickCandidate Used during the release process for point releases label Mar 4, 2021
@toothrot toothrot modified the milestones: Go1.15.9, Go1.15.10 Mar 10, 2021
@golang golang locked and limited conversation to collaborators Mar 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.15.10
Development

No branches or pull requests
3 participants
@toothrot @dmitshur @gopherbot