Bug 810406 (CVE-2012-2098)

Summary: CVE-2012-2098 apache-commons-compress: denial of service flaw when compressing certain files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akurtako, brms-jira, epp-bugs, java-sig-commits, jbpapp-maint, jcoleman, jlieskov, jrusnack, mbenitez, mizdebsk, mjc, mmatejov, msrb, ncross, nwallace, ovasik, pcheung, rzhang, security-response-team, sochotni, SpikeFedora, theute, tkirby, tradej, zzoubkov
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: apache-commons-compress 1.4.1, ant 1.8.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:58:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 824708    
Bug Blocks: 810408, 951526    

Description Vincent Danen 2012-04-05 22:17:39 UTC 
A flaw was found in the Apache commons-compress Java library when compressing files using bzip2 compression.  If a malicious user were to provide a specially-crafted file to a service using commons-compress, it would take an extremely long time to compress the file, which could possibly lead to a denial of service.
Comment 6 David Jorm 2012-04-12 02:58:23 UTC 
apache-commons-compress is shipped with JBoss Enterprise BRMS Platform 5.2.0. It is only used in the org.jbpm.process.workitem.archive.ArchiveWorkItemHandler class, which does not utilize bzip2 compression. Therefore JBoss Enterprise BRMS Platform 5.2.0 is not affected by this flaw.
Comment 7 David Jorm 2012-04-12 03:23:09 UTC 
apache-commons-compress is shipped with JBoss Enterprise Portal Platform 5.2.0. The JAR is not utilized to do any compression operations, and therefore JBoss Enterprise Portal Platform 5.2.0 is not affected by this flaw.
Comment 11 David Jorm 2012-05-22 01:14:01 UTC 
A patched upstream build is available as a snapshot:

https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-compress/1.4.1-SNAPSHOT/commons-compress-1.4.1-20120521.112059-5.jar
Comment 12 Mikolaj Izdebski 2012-05-22 08:49:55 UTC 
I have reviewed the upstream patch. The newly introduced fallback sort is definitely fixing the problem.
Comment 13 David Jorm 2012-05-23 03:37:29 UTC 
Commons-compress is fixed in version 1.4.1. The relevant commits are revisions 1332540, 1332552, 1333522, 1337444, 1340715, 1340723, 1340757, 1340786, 1340787, 1340790, 1340795 and 1340799.
Comment 14 Mark J. Cox 2012-05-23 14:18:39 UTC 
They made this public today, removing embargo.

https://commons.apache.org/compress/security.html
Comment 15 David Jorm 2012-05-24 03:33:35 UTC 
Created apache-commons-compress tracking bugs for this issue

Affects: fedora-all [bug 824708]
Comment 17 Jan Lieskovsky 2012-05-24 10:58:34 UTC 
http://commons.apache.org/compress/security.html
http://ant.apache.org/security.html

Upstream patches:
http://svn.apache.org/viewvc?view=revision&revision=1340895
http://svn.apache.org/viewvc?view=revision&revision=1340990

References:
http://secunia.com/advisories/49286/
Comment 18 Mikolaj Izdebski 2013-04-12 11:56:17 UTC 
Reported to plexus-archiver upstream:
http://jira.codehaus.org/browse/PLXCOMP-219
Comment 19 Vincent Danen 2013-06-03 21:00:43 UTC 
This issue affects Apache Ant as well, version 1.5 through to 1.8.3 (fixed in 1.8.4).


Statement:

This issue does not affect the Apache commons-compress library as shipped with JBoss Enterprise BRMS Platform 5.2.0 or JBoss Enterprise Portal Platform 5.2.0.