[AutoPR- Security] Patch gh for CVE-2025-58183 [MEDIUM] (#15096)

azurelinux-security · archana25-ms · web-flow · commit c2b6667c1eeb · 2025-12-02T17:38:55.000+05:30
Co-authored-by: Archana Shettigar &lt;v-shettigara@microsoft.com&gt;
diff --git a/SPECS/gh/CVE-2025-58183.patch b/SPECS/gh/CVE-2025-58183.patch
@@ -0,0 +1,83 @@
+From 2c9e7f55aa25221e776bad497448442dde6b2ef0 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Sat, 15 Nov 2025 05:50:08 +0000
+Subject: [PATCH] archive/tar: set a limit on the size of GNU sparse file 1.0
+ regions
+
+Cap the size of the sparse block data to the same limit used for PAX headers (1 MiB). Add errSparseTooLong error and enforce maxSpecialFileSize when reading GNU PAX 1.0 sparse maps. Update comments accordingly.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch
+---
+ .../vbatts/tar-split/archive/tar/common.go           |  3 +++
+ .../vbatts/tar-split/archive/tar/format.go           |  3 +++
+ .../vbatts/tar-split/archive/tar/reader.go           | 12 ++++++++++--
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+index dee9e47..bb43fbe 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+@@ -34,6 +34,9 @@ var (
+ 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
+ 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
+ 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
++	// errSparseTooLong is returned when the GNU PAX 1.0 sparse map exceeds the
++	// maximum permitted size for special file data (same as PAX headers).
++	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
+ )
+ 
+ type headerError []string
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/format.go b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+index 1f89d0c..62dc505 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/format.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+@@ -143,6 +143,9 @@ const (
+ 	blockSize  = 512 // Size of each block in a tar stream
+ 	nameSize   = 100 // Max length of the name field in USTAR format
+ 	prefixSize = 155 // Max length of the prefix field in USTAR format
++	// maxSpecialFileSize caps the size of special file data, such as PAX headers.
++	// This is set to 1 MiB to avoid excessive memory allocation on malicious inputs.
++	maxSpecialFileSize = 1 << 20
+ )
+ 
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+index fcf3215..176b40f 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+@@ -577,12 +577,20 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 		cntNewline int64
+ 		buf        bytes.Buffer
+ 		blk        block
++		// totalSize tracks the total size of the sparse map data read.
++		totalSize  int
+ 	)
+ 
+ 	// feedTokens copies data in blocks from r into buf until there are
+ 	// at least cnt newlines in buf. It will not read more blocks than needed.
+ 	feedTokens := func(n int64) error {
+ 		for cntNewline < n {
++			// Increase totalSize by the size of the block to enforce a cap
++			totalSize += len(blk)
++			// Enforce the same cap as PAX header size: maxSpecialFileSize
++			if totalSize > maxSpecialFileSize {
++				return errSparseTooLong
++			}
+ 			if _, err := mustReadFull(r, blk[:]); err != nil {
+ 				return err
+ 			}
+@@ -615,8 +623,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 	}
+ 
+ 	// Parse for all member entries.
+-	// numEntries is trusted after this since a potential attacker must have
+-	// committed resources proportional to what this library used.
++	// numEntries is trusted after this since feedTokens limits the number of
++	// tokens based on maxSpecialFileSize.
+ 	if err := feedTokens(2 * numEntries); err != nil {
+ 		return nil, err
+ 	}
+-- 
+2.45.4
+
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -23,8 +23,9 @@ Patch7:         CVE-2025-27144.patch
 Patch8:         CVE-2025-22869.patch
 Patch9:         CVE-2025-22872.patch
 Patch10:        CVE-2025-48938.patch
+Patch11:        CVE-2025-58183.patch
 
-BuildRequires:  golang < 1.23
+BuildRequires:  golang < 1.24
 BuildRequires:  git
 Requires:       git
 %global debug_package %{nil}
@@ -50,6 +51,7 @@ make GH_VERSION="v%{version}" bin/gh manpages
 install -Dm755 bin/gh %{buildroot}%{_bindir}/gh
 install -d %{buildroot}%{_mandir}/man1/
 cp share/man/man1/* %{buildroot}%{_mandir}/man1
+mv %{buildroot}%{_mandir}/man1/gh-repo-license* .
 
 %check
 make test
@@ -59,12 +61,16 @@ make test
 %license LICENSE
 %doc README.md
 %{_bindir}/gh
+%license gh-repo-license*
 %{_mandir}/man1/*
 %{_datadir}/bash-completion/completions/gh
 %{_datadir}/fish/vendor_completions.d/gh.fish
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Sat Nov 15 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.62.0-10
+- Patch for CVE-2025-58183
+
 * Mon Jun 16 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 2.62.0-9
 - Patch CVE-2025-48938
 
