The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Created apache-commons-compress tracking bugs for this issue:
Affects: fedora-all [bug 1764641]
The flaw lies in the encode() method of NioZipEncoding class, which leverages java.nio to encode names. Specifically, the file name is encoded repeatedly, until there are no remaining characters in the input buffer. The encoder consumes characters from the input buffer, translates them, and writes the resulting bytes to an output buffer. During this process the exit condition UNDERFLOW (meaning that either the input buffer has been completely consumed or there is insufficient input) is not taken into account, leading to a possible infinite loop.
Class ZipArchiveOutputStream creates an output stream for writing files in the ZIP file format. The flaw is triggered when calling the putArchiveEntry() method with a carefully crafted ArchiveEntry, whose name is then encoded by the aforementioned encoding algorithm used internally in Apache Commons Compress.
The fallback zip encoding implementation that leverages java.io has been superseded in favor of NIO based encoding (java.nio) in Compress version 1.15.
The UNDERFLOW exit condition in NioZipEncoding class has been removed from the while loop in the same version 1.15.
This issue does not affect the versions of apache-commons-compress as shipped with Red Hat Enterprise Linux 7, and the versions of rh-java-common-apache-commons-compress and rh-maven35-apache-commons-compress as shipped with Red Hat Software Collections 3, as they used a fallback zip encoding implementation (leveraging java.io) to encode filenames.
This issue does not affect the versions of rh-maven36-apache-commons-compress as shipped with Red Hat Software Collection 3 as they already include the patch.
Marking Red Hat Fuse 7 as having a moderate impact, the use of Apache Commons Compress as part of Fuse Online is in the Project Generation phase and is not something made available as part of a service to the network (AV:N -> AV:L), the naming of the files is also controlled by the local user/developer, an attacker would need to invest a measurable amount of effort to alter the target environment to exploit the vulnerability (AC:L -> AC:H)