A flaw was found in the Apache commons-compress Java library when compressing files using bzip2 compression. If a malicious user were to provide a specially-crafted file to a service using commons-compress, it would take an extremely long time to compress the file, which could possibly lead to a denial of service.
apache-commons-compress is shipped with JBoss Enterprise BRMS Platform 5.2.0. It is only used in the org.jbpm.process.workitem.archive.ArchiveWorkItemHandler class, which does not utilize bzip2 compression. Therefore JBoss Enterprise BRMS Platform 5.2.0 is not affected by this flaw.
apache-commons-compress is shipped with JBoss Enterprise Portal Platform 5.2.0. The JAR is not utilized to do any compression operations, and therefore JBoss Enterprise Portal Platform 5.2.0 is not affected by this flaw.
A patched upstream build is available as a snapshot:
I have reviewed the upstream patch. The newly introduced fallback sort is definitely fixing the problem.
Commons-compress is fixed in version 1.4.1. The relevant commits are revisions 1332540, 1332552, 1333522, 1337444, 1340715, 1340723, 1340757, 1340786, 1340787, 1340790, 1340795 and 1340799.
They made this public today, removing embargo.
Created apache-commons-compress tracking bugs for this issue
Affects: fedora-all [bug 824708]
Reported to plexus-archiver upstream:
This issue affects Apache Ant as well, version 1.5 through to 1.8.3 (fixed in 1.8.4).
This issue does not affect the Apache commons-compress library as shipped with JBoss Enterprise BRMS Platform 5.2.0 or JBoss Enterprise Portal Platform 5.2.0.