[AutoPR- Security] Patch containerized-data-importer for CVE-2026-32288 [MEDIUM] (#16754)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: azurelinux-security

SPECS/containerized-data-importer/CVE-2026-32288.patch

@@ -0,0 +1,124 @@
+From 0bd8354eb316bc25cc698e276be032ba4ceca855 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 23 Mar 2026 13:12:44 -0700
+Subject: [PATCH] archive/tar: limit the number of old GNU sparse format
+ entries
+
+We did not set a limit on the maximum size of sparse maps in
+the old GNU sparse format. Set a limit based on the cumulative
+size of the extension blocks used to encode the map (consistent
+with how we limit the sparse map size for other formats).
+
+Add an additional limit to the total number of sparse file entries,
+regardless of encoding, to all sparse formats.
+
+Thanks to Colin Walters (walters@verbum.org),
+Uuganbayar Lkhamsuren (https://github.com/uug4na),
+and Jakub Ciolek for reporting this issue.
+
+Fixes #78301
+Fixes CVE-2026-32288
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream Patch reference: https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e
+---
+ .../vbatts/tar-split/archive/tar/format.go    |  6 ++++
+ .../vbatts/tar-split/archive/tar/reader.go    | 28 ++++++++++++++++---
+ 2 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/format.go b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+index 6097798..6f31845 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/format.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+@@ -147,6 +147,12 @@ const (
+ 	// Max length of a special file (PAX header, GNU long name or link).
+ 	// This matches the limit used by libarchive.
+ 	maxSpecialFileSize = 1 << 20
++
++	// Maximum number of sparse file entries.
++	// We should never actually hit this limit
++	// (every sparse encoding will first be limited by maxSpecialFileSize),
++	// but this adds an additional layer of defense.
++	maxSparseFileEntries = 1 << 20
+ )
+ 
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+index bea60e9..8573499 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+@@ -532,7 +532,8 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err
+ 	}
+ 	s := blk.GNU().Sparse()
+ 	spd := make(sparseDatas, 0, s.MaxEntries())
+-	for {
++	totalSize := len(s)
++	for totalSize < maxSpecialFileSize {
+ 		for i := 0; i < s.MaxEntries(); i++ {
+ 			// This termination condition is identical to GNU and BSD tar.
+ 			if s.Entry(i).Offset()[0] == 0x00 {
+@@ -543,7 +544,11 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err
+ 			if p.err != nil {
+ 				return nil, p.err
+ 			}
+-			spd = append(spd, sparseEntry{Offset: offset, Length: length})
++			var err error
++			spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length})
++			if err != nil {
++				return nil, err
++			}
+ 		}
+ 
+ 		if s.IsExtended()[0] > 0 {
+@@ -555,10 +560,12 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err
+ 				tr.rawBytes.Write(blk[:])
+ 			}
+ 			s = blk.Sparse()
++			totalSize += len(s)
+ 			continue
+ 		}
+ 		return spd, nil // Done
+ 	}
++	return nil, errSparseTooLong
+ }
+ 
+ // readGNUSparseMap1x0 reads the sparse map as stored in GNU's PAX sparse format
+@@ -632,7 +639,10 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ 		if err1 != nil || err2 != nil {
+ 			return nil, ErrHeader
+ 		}
+-		spd = append(spd, sparseEntry{Offset: offset, Length: length})
++		spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length})
++		if err != nil {
++			return nil, err
++		}
+ 	}
+ 	return spd, nil
+ }
+@@ -666,12 +676,22 @@ func readGNUSparseMap0x1(paxHdrs map[string]string) (sparseDatas, error) {
+ 		if err1 != nil || err2 != nil {
+ 			return nil, ErrHeader
+ 		}
+-		spd = append(spd, sparseEntry{Offset: offset, Length: length})
++		spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length})
++		if err != nil {
++			return nil, err
++		}
+ 		sparseMap = sparseMap[2:]
+ 	}
+ 	return spd, nil
+ }
+ 
++func appendSparseEntry(spd sparseDatas, ent sparseEntry) (sparseDatas, error) {
++	if len(spd) >= maxSparseFileEntries {
++		return nil, errSparseTooLong
++	}
++	return append(spd, ent), nil
++}
++
+ // Read reads from the current file in the tar archive.
+ // It returns (0, io.EOF) when it reaches the end of that file,
+ // until Next is called to advance to the next file.
+-- 
+2.45.4
+

SPECS/containerized-data-importer/containerized-data-importer.spec

@@ -18,7 +18,7 @@
 Summary:        Container native virtualization
 Name:           containerized-data-importer
 Version:        1.62.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,6 +31,7 @@ Patch2:         CVE-2025-58058.patch
 Patch3:         CVE-2025-58183.patch
 Patch4:         CVE-2025-47911.patch
 Patch5:         CVE-2025-58190.patch
+Patch6:         CVE-2026-32288.patch
 BuildRequires:  golang < 1.25
 BuildRequires:  golang-packaging
 BuildRequires:  libnbd-devel
@@ -225,6 +226,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
 %{_datadir}/cdi/manifests
 
 %changelog
+* Mon Apr 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.62.0-3
+- Patch for CVE-2026-32288
+
 * Thu Feb 12 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.62.0-2
 - Patch for CVE-2025-58190, CVE-2025-47911