[AutoPR- Security] Patch skopeo for CVE-2025-58183 [MEDIUM] (#15098)

Author: azurelinux-security

SPECS/skopeo/CVE-2025-58183.patch

@@ -0,0 +1,62 @@
+From 56075937df952d2369510b4544c8a7debe800f2d Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Sat, 15 Nov 2025 06:17:24 +0000
+Subject: [PATCH] archive/tar: limit GNU sparse 1.0 map size using
+ maxSpecialFileSize; add errSparseTooLong error and test fixture
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/vbatts/tar-split/commit/55da7d6b43bd806ee785d783bdf66bcf302af118.patch
+---
+ .../github.com/vbatts/tar-split/archive/tar/common.go  |  1 +
+ .../github.com/vbatts/tar-split/archive/tar/reader.go  | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/common.go b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+index dee9e47..e687a08 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/common.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/common.go
+@@ -34,6 +34,7 @@ var (
+ 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
+ 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
+ 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
++	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
+ )
+ 
+ type headerError []string
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+index 40f6c86..e508f5a 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+@@ -576,12 +576,18 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 		cntNewline int64
+ 		buf        bytes.Buffer
+ 		blk        block
++		totalSize  int
+ 	)
+ 
+ 	// feedTokens copies data in blocks from r into buf until there are
+ 	// at least cnt newlines in buf. It will not read more blocks than needed.
+ 	feedTokens := func(n int64) error {
+ 		for cntNewline < n {
++			// Limit the amount of sparse map data read to avoid unbounded memory usage.
++			totalSize += len(blk)
++			if totalSize > maxSpecialFileSize {
++				return errSparseTooLong
++			}
+ 			if _, err := mustReadFull(r, blk[:]); err != nil {
+ 				return err
+ 			}
+@@ -614,8 +620,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 	}
+ 
+ 	// Parse for all member entries.
+-	// numEntries is trusted after this since a potential attacker must have
+-	// committed resources proportional to what this library used.
++	// numEntries is trusted after this since feedTokens limits the number of
++	// tokens based on maxSpecialFileSize.
+ 	if err := feedTokens(2 * numEntries); err != nil {
+ 		return nil, err
+ 	}
+-- 
+2.45.4
+

SPECS/skopeo/skopeo.spec

@@ -1,7 +1,7 @@
 Summary:        Inspect container images and repositories on registries
 Name:           skopeo
 Version:        1.14.4
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,6 +14,7 @@ Patch2:         CVE-2023-45288.patch
 Patch3:         CVE-2024-9676.patch
 Patch4:         CVE-2025-27144.patch
 Patch5:         CVE-2025-58058.patch
+Patch6:         CVE-2025-58183.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -52,6 +53,9 @@ make test-unit-local
 %{_mandir}/man1/%%{name}*
 
 %changelog
+* Sat Nov 15 2025 Azure Linux Security Servicing Account <[email protected]> - 1.14.4-7
+- Patch for CVE-2025-58183
+
 * Wed Sep 03 2025 Azure Linux Security Servicing Account <[email protected]> - 1.14.4-6
 - Patch for CVE-2025-58058