Skip to content

fix(path-compression): CVE-2025-3445 #2731

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

fix(path-compression): CVE-2025-3445 #2731

wants to merge 15 commits into from

Conversation

scharissis
Copy link

Description

Replaced the deprecated mholt/archiver with the new mholt/archives, in the process addressing security vulnerability CVE-2025-3445. See: https://nvd.nist.gov/vuln/detail/CVE-2025-3445

Is this change user facing?

NO

References (if applicable)

https://nvd.nist.gov/vuln/detail/CVE-2025-3445

@scharissis scharissis changed the title CVE-2025-3445 fix(path-compression): CVE-2025-3445 Apr 24, 2025
@scharissis
Copy link
Author

scharissis commented Apr 24, 2025
edited
Loading

It appears the build is failing due to auth issues only?

@kurtosis-tech/engineers, @tedim52 - I believe this is ready for review.

@tedim52
Copy link
Collaborator

tedim52 commented Apr 24, 2025

Hey @scharissis - will take a look at this today.

@scharissis
Copy link
Author

Hey @tedim52 , let me know if you have any questions on this or if I can help progress it in any way.

tedim52
tedim52 reviewed Apr 30, 2025
View reviewed changes
path-compression/path_compression_test.go
require.NoError(t, err)
require.Equal(t, compressedDataBytes, compressedDataBytesAgain)
require.Equal(t, sizeAgain, size)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reason for removing the check between the previous hash and the new hash size?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They no longer match.
My assumption was that the compression algorithm changed and that this isn't actually an important invariant to be maintained or tested.
Is this true?

tedim52
tedim52 reviewed Apr 30, 2025
View reviewed changes
scharissis added 2 commits May 2, 2025 08:41
@scharissis
fix(path-compression): replace redundant archiver.
677cf9f 
Replaced the deprecated mholt/archiver with the new mholt/archives, in the process addressing security vulnerability CVE-2025-3445.
See: https://nvd.nist.gov/vuln/detail/CVE-2025-3445
@scharissis
reworded error messages to match style guide
bf837cb
@scharissis scharissis force-pushed the scharissis/fix-CVE-2025-3445 branch from c4e96d3 to bf837cb Compare May 1, 2025 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tedim52 tedim52 tedim52 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@scharissis @tedim52