The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. According to NIST NVD database this issue has high impact. For more info see: https://nvd.nist.gov/vuln/detail/CVE-2019-12402
We should be able to merge 1.19 from rawhide into stable branches. I'll look into it later today.
FEDORA-2019-da0eac1eb6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-da0eac1eb6
FEDORA-2019-c96a8d12b0 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c96a8d12b0
There are some strange commits in f29 that look like they've never been built. I also don't care about f29 enough to actually work this out, and it will be EOL in ~6 weeks anyway.
apache-commons-compress-1.19-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c96a8d12b0
apache-commons-compress-1.19-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-da0eac1eb6
*** Bug 1764641 has been marked as a duplicate of this bug. ***
apache-commons-compress-1.19-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
apache-commons-compress-1.19-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.