[AutoPR- Security] Patch moby-engine for CVE-2025-58183 [MEDIUM] (#15102)

Author: azurelinux-security

SPECS/moby-engine/CVE-2025-58183.patch

@@ -0,0 +1,62 @@
+From 9d9605d279c66333caaf20b3f46a440d659c48c2 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Sat, 15 Nov 2025 06:37:02 +0000
+Subject: [PATCH] archive/tar: set a limit on the size of GNU sparse file 1.0
+ regions; cap to maxSpecialFileSize; add errSparseTooLong; update reader to
+ enforce limit
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch
+---
+ vendor/github.com/vbatts/tar-split/archive/tar/common.go | 1 +
+ vendor/github.com/vbatts/tar-split/archive/tar/reader.go | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+index dee9e47..e687a08 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+@@ -34,6 +34,7 @@ var (
+ 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
+ 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
+ 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
++	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
+ )
+ 
+ type headerError []string
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+index 40f6c86..7a56fa1 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+@@ -576,12 +576,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 		cntNewline int64
+ 		buf        bytes.Buffer
+ 		blk        block
++		totalSize  int
+ 	)
+ 
+ 	// feedTokens copies data in blocks from r into buf until there are
+ 	// at least cnt newlines in buf. It will not read more blocks than needed.
+ 	feedTokens := func(n int64) error {
+ 		for cntNewline < n {
++			totalSize += len(blk)
++			if totalSize > maxSpecialFileSize {
++				return errSparseTooLong
++			}
+ 			if _, err := mustReadFull(r, blk[:]); err != nil {
+ 				return err
+ 			}
+@@ -614,8 +619,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 	}
+ 
+ 	// Parse for all member entries.
+-	// numEntries is trusted after this since a potential attacker must have
+-	// committed resources proportional to what this library used.
++	// numEntries is trusted after this since feedTokens limits the number of
++	// tokens based on maxSpecialFileSize.
+ 	if err := feedTokens(2 * numEntries); err != nil {
+ 		return nil, err
+ 	}
+-- 
+2.45.4
+

SPECS/moby-engine/moby-engine.spec

@@ -3,7 +3,7 @@
 Summary: The open-source application container engine
 Name:    moby-engine
 Version: 25.0.3
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -28,6 +28,7 @@ Patch10: CVE-2025-22868.patch
 Patch11: CVE-2025-22869.patch
 Patch12: CVE-2025-30204.patch
 Patch13: CVE-2024-51744.patch
+Patch14: CVE-2025-58183.patch
 
 %{?systemd_requires}
 
@@ -123,6 +124,9 @@ fi
 %{_unitdir}/*
 
 %changelog
+* Sat Nov 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.0.3-14
+- Patch for CVE-2025-58183
+
 * Fri May 23 2025 Akhila Guruju <v-guakhila@microsoft.com> - 25.0.3-13
 - Patch CVE-2024-51744