commit e9bbc41dd1 removed our fork of
pkg/archive that was in place to mitigate CVE-2019-14271. As part of that
change, a nosysFileInfo type was added to prevent tar.FileInfoHeader from
looking up user- and group-names.
A proposal was pending in go https://go.dev/issue/50102 to define an
interface for implementing custom lookup functions to be implemented,
and disable go's builtin lookup. That proposal was accepted, and is now
implemented in go1.23.
Thia patch makes the nosysFileInfo implement the tar.FileInfoNames interface
to prevent tar.FileInfoHeader from performing its own lookups. While the
mitigation implemented in e9bbc41dd1 should
already prevent this from happening, implementing the interface does not
cost us much and is complementary to the existing mitigation.
This patch keeps the mitigation added in a316b10dab
in place for any unforeseen other code.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2b4db9383c