Bug 1982331 (CVE-2021-36374)

Summary: CVE-2021-36374 ant: excessive memory allocation when reading a specially crafted ZIP archive or a derived formats
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abenaiss, aileenc, akoufoud, alazarot, anstephe, asoldano, bbaranow, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, eleandro, eparis, fjuma, gmalinko, gvarsami, hhorak, ibek, iweiss, janstey, jaromir.capik, java-maint-sig, java-sig-commits, jburrell, jcoleman, jochrist, jolee, jorton, jpallich, jperkins, jrokos, jschatte, jwon, kverlaen, kwills, ldimaggi, lgao, loleary, mizdebsk, mnovotny, msochure, msrb, msvehla, nstielau, nwallace, pantinor, pjindal, pmackay, rguimara, rstancel, rsvoboda, rwagner, smaestri, sponnaga, tcunning, theute, tom.jenkinson, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Apache Ant 1.9.16, Ant 1.10.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1982332, 1982333, 1982334, 1984963, 1984964, 1988319, 1988320, 1988321, 1988322, 1988323    
Bug Blocks: 1982341    

Description Guilherme de Almeida Suckevicz 2021-07-14 17:51:37 UTC 
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Reference:
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
Comment 1 Guilherme de Almeida Suckevicz 2021-07-14 17:52:23 UTC 
Created ant tracking bugs for this issue:

Affects: fedora-all [bug 1982332]


Created ant:1.10/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982333]


Created javapackages-bootstrap:202001/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982334]
Comment 8 Hardik Vyas 2021-07-22 14:32:34 UTC 
Upstream fix: https://github.com/apache/ant/commit/6594a2d66f7f060dafcbbf094dd60676db19a842