Bug 1618573 – CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1618573 - (CVE-2018-11771) CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip

Summary:	CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to...

Status:	NEW

Aliases:	CVE-2018-11771

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180817,repor...
Keywords:	Security

Depends On:	1618575 1618574 1625463 1625464 1640713 1640717 1640719
Blocks:	1618576
	Show dependency tree / graph

Reported:	2018-08-16 22:22 EDT by Sam Fowler
Modified:	2018-10-18 11:08 EDT (History)
CC List:	88 users (show)

See Also:
Fixed In Version:	apache-commons-compress 1.18
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-08-16 22:22:45 EDT

Apache Commons Compress versions 1.7 to 1.17 are vulnerable to a denial of service attack via crafted ZIP archive. When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached.  When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.


External Reference:

https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E

Comment 1 Sam Fowler 2018-08-16 22:23:02 EDT

Created apache-commons-compress tracking bugs for this issue:

Affects: fedora-all [bug 1618574]

Comment 3 Doran Moppert 2018-08-21 04:18:40 EDT

Upstream ticket:

https://issues.apache.org/jira/browse/COMPRESS-463

Upstream patch:

https://github.com/apache/commons-compress/commit/a41ce689

Prior patches introducing tests:

https://github.com/apache/commons-compress/commit/0fe6ae31
https://github.com/apache/commons-compress/commit/64ed6dde

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
anstephe
apevec
bbuckingham
bcourt
bkearney
bmcclain
cbyrne
chazlett
chrisw
cmacedo
dblechte
dfediuck
dffrench
drieden
drusso
eedri
etirelli
gvarsami
hghasemb
hhorak
ibek
java-maint
java-sig-commits
jcoleman
jjoyce
jmadigan
jolee
jorton
jschatte
jschluet
jshepherd
jstastny
kbasil
kconner
krathod
kverlaen
ldimaggi
lgriffin
lhh
loleary
lpeer
lpetrovi
markmc
mburns
mgoldboi
michal.skrivanek
mizdebsk
mkolesni
mmccune
mrike
ngough
nwallace
nyechiel
ohadlevy
paradhya
ppenicka
pszubiak
pwright
rbryant
rchan
rjerrido
rrajasek
rsynek
rwagner
rzhang
sandro
sbonazzo
sclewis
sdaley
sherold
sisharma
slinaber
smohan
SpikeFedora
spinder
ssaha
tcunning
tdecacqu
theute
tjay
tkirby
trepel
vbellur
vhalbert
ylavi
yozone