1982336 – (CVE-2021-36373) CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive

Bug 1982336 (CVE-2021-36373) - CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive

Summary: CVE-2021-36373 ant: excessive memory allocation when reading a specially craf...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-36373
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1982337 1982338 1982339 1984960 1984961 1988325 1988326 1988327 1988328 1988329
Blocks:	1982341
TreeView+	depends on / blocked

Reported:	2021-07-14 17:53 UTC by Guilherme de Almeida Suckevicz
Modified:	2024-02-06 04:51 UTC (History)
CC List:	73 users (show)
Fixed In Version:	Apache Ant 1.9.16, Ant 1.10.11
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-31 17:55:52 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5903	0	None	None	None	2022-08-04 04:46:49 UTC

Description Guilherme de Almeida Suckevicz 2021-07-14 17:53:36 UTC

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Reference:
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E

Comment 1 Guilherme de Almeida Suckevicz 2021-07-14 17:54:22 UTC

Created ant tracking bugs for this issue:

Affects: fedora-all [bug 1982338]


Created ant:1.10/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982337]


Created javapackages-bootstrap:202001/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982339]

Comment 8 Hardik Vyas 2021-07-22 14:31:30 UTC

Upstream fix: https://github.com/apache/ant/commit/6594a2d66f7f060dafcbbf094dd60676db19a842

Comment 23 errata-xmlrpc 2022-08-04 04:46:44 UTC

This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903

Comment 25 Product Security DevOps Team 2022-08-31 17:55:49 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-36373

Note You need to log in before you can comment on or make changes to this bug.

abenaiss
aileenc
akoufoud
alazarot
anstephe
aos-bugs
asoldano
atangrin
bbaranow
bmaxwell
bmontgom
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
drieden
eleandro
eparis
fjuma
gmalinko
gvarsami
hbraun
hhorak
ibek
iweiss
janstey
jaromir.capik
java-maint-sig
java-sig-commits
jburrell
jcoleman
jochrist
jolee
jorton
jpallich
jperkins
jrokos
jschatte
jstastny
jwon
krathod
kverlaen
kwills
ldimaggi
lgao
loleary
mizdebsk
mnovotny
msochure
msrb
msvehla
nstielau
nwallace
pantinor
pbhattac
pjindal
pmackay
rguimara
rrajasek
rstancel
rsvoboda
rwagner
sd-operator-metering
smaestri
sponnaga
tcunning
tflannag
theute
tkirby
tom.jenkinson
yborgess