[release-1.34] OCPBUGS-65593: Fix CVE-2025-58183: Update tar-split to v0.12.2 #9590

saschagrunert · 2025-11-13T11:36:57Z

What type of PR is this?

/kind bug

What this PR does / why we need it:

Fixes CVE-2025-58183 by updating tar-split to v0.12.2.

CVE-2025-58183 is an unbounded allocation vulnerability in archive/tar when parsing GNU sparse map files. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory.

tar-split v0.12.2 includes the fix that caps sparse block data to 1 MiB (same limit as PAX headers).

OpenShift Version: 4.21

Which issue(s) this PR fixes:

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2407258

Fixes: https://issues.redhat.com/browse/OCPBUGS-65593

Special notes for your reviewer:

This PR updates:

go.mod with tar-split v0.12.2
go.sum
Vendored dependencies (vendor/)

The vulnerability affects CRI-O's container image layer extraction code path through containers/storage which uses tar-split (a vendored fork of Go's archive/tar).

Note: No OCPBUGS JIRA issue is available for OpenShift 4.21.

Does this PR introduce a user-facing change?

Fixed CVE-2025-58183: Updated tar-split to v0.12.2 to fix unbounded memory allocation vulnerability when parsing malicious container images with GNU sparse tar files.

openshift-ci-robot · 2025-11-13T11:37:00Z

@saschagrunert: No Jira issue with key CVE-2025 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-11-13T11:37:27Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2025-11-13T11:48:11Z

@saschagrunert: This pull request references Jira Issue OCPBUGS-63773, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected Jira Issue OCPBUGS-63773 to depend on a bug in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-11-13T12:10:50Z

@saschagrunert: No Jira issue with key CVE-2025 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-11-13T12:10:53Z

@saschagrunert: The referenced Jira(s) [CVE-2025] could not be located, all automatically applied jira labels will be removed.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-11-13T12:12:44Z

@saschagrunert: No Jira issue with key CVE-2025 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

codecov · 2025-11-13T14:51:16Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.63%. Comparing base (56df1c6) to head (0e11883).
⚠️ Report is 2 commits behind head on release-1.34.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.34    #9590      +/-   ##
================================================
- Coverage         63.64%   63.63%   -0.02%     
================================================
  Files               202      202              
  Lines             28164    28164              
================================================
- Hits              17926    17922       -4     
- Misses             8635     8640       +5     
+ Partials           1603     1602       -1

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

CVE-2025-58183 is an unbounded allocation vulnerability in archive/tar when parsing GNU sparse map files. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. This update brings tar-split to v0.12.2 which includes the fix that caps sparse block data to 1 MiB (same limit as PAX headers). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2407258 CVE: CVE-2025-58183 Signed-off-by: Sascha Grunert <[email protected]>

openshift-ci-robot · 2025-11-13T16:52:18Z

@saschagrunert: This pull request references Jira Issue OCPBUGS-65593, which is valid. The bug has been moved to the POST state.

5 validation(s) were run on this bug

bug is open, matching expected state (open)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-65574 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
bug has dependents

Requesting review from QA contact:
/cc @lyman9966

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-11-13T16:52:21Z

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: lyman9966.

Note that only cri-o members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci-robot · 2025-11-13T16:52:28Z

@saschagrunert: This pull request references Jira Issue OCPBUGS-65593, which is valid.

5 validation(s) were run on this bug

bug is open, matching expected state (open)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-65574 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
bug has dependents

Requesting review from QA contact:
/cc @lyman9966

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-11-13T16:52:31Z

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: lyman9966.

Note that only cri-o members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci · 2025-11-13T20:12:10Z

@saschagrunert: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	`0e11883`	link	true	`/test e2e-aws-ovn`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

bitoku · 2025-11-18T08:40:11Z

/lgtm

saschagrunert · 2025-11-18T10:50:45Z

Merging, this seems to get stuck in the tide merge pool.

openshift-ci-robot · 2025-11-18T10:50:55Z

@saschagrunert: Jira Issue OCPBUGS-65593: All pull requests linked via external trackers have merged:

cri-o/cri-o#9590

Jira Issue OCPBUGS-65593 has been moved to the MODIFIED state.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

saschagrunert requested a review from mrunalp as a code owner November 13, 2025 11:36

openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: no Indicates the PR's author has not DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. labels Nov 13, 2025

openshift-ci bot requested review from QiWang19 and klihub November 13, 2025 11:37

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 13, 2025

saschagrunert force-pushed the fix-cve-2025-58183-release-1.34 branch from 417801d to 1132fb7 Compare November 13, 2025 11:40

openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Nov 13, 2025

saschagrunert changed the title ~~Fix CVE-2025-58183: Update tar-split to v0.12.2~~ [release-1.34] Fix CVE-2025-58183: Update tar-split to v0.12.2 Nov 13, 2025

saschagrunert changed the title ~~[release-1.34] Fix CVE-2025-58183: Update tar-split to v0.12.2~~ [release-1.34] OCPBUGS-63773: Fix CVE-2025-58183: Update tar-split to v0.12.2 Nov 13, 2025

saschagrunert changed the title ~~[release-1.34] OCPBUGS-63773: Fix CVE-2025-58183: Update tar-split to v0.12.2~~ [release-1.34] Fix CVE-2025-58183: Update tar-split to v0.12.2 Nov 13, 2025

openshift-ci-robot removed jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Nov 13, 2025

openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Nov 13, 2025

saschagrunert force-pushed the fix-cve-2025-58183-release-1.34 branch from 1132fb7 to a68a9e0 Compare November 13, 2025 16:42

saschagrunert force-pushed the fix-cve-2025-58183-release-1.34 branch from a68a9e0 to 0e11883 Compare November 13, 2025 16:43

saschagrunert changed the title ~~[release-1.34] Fix CVE-2025-58183: Update tar-split to v0.12.2~~ [release-1.34] OCPBUGS-65593: Fix CVE-2025-58183: Update tar-split to v0.12.2 Nov 13, 2025

openshift-ci bot assigned bitoku Nov 18, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 18, 2025

saschagrunert merged commit 1c0c22c into cri-o:release-1.34 Nov 18, 2025
45 of 54 checks passed

saschagrunert deleted the fix-cve-2025-58183-release-1.34 branch November 18, 2025 10:51

[release-1.34] OCPBUGS-65593: Fix CVE-2025-58183: Update tar-split to v0.12.2 #9590

[release-1.34] OCPBUGS-65593: Fix CVE-2025-58183: Update tar-split to v0.12.2 #9590

Uh oh!

Conversation

saschagrunert commented Nov 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci-robot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci bot commented Nov 13, 2025

Uh oh!

openshift-ci-robot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci-robot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci-robot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci-robot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

codecov bot commented Nov 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

openshift-ci-robot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci bot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci-robot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

openshift-ci bot commented Nov 13, 2025

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

saschagrunert commented Nov 13, 2025 •

edited

Loading

codecov bot commented Nov 13, 2025 •

edited

Loading