Bug 810406 - (CVE-2012-2098) CVE-2012-2098 apache-commons-compress: denial of service flaw when compressing certain files
CVE-2012-2098 apache-commons-compress: denial of service flaw when compressin...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120523,reported=2...
: Reopened, Security
Depends On: 824708
Blocks: 810408 951526
  Show dependency treegraph
 
Reported: 2012-04-05 18:17 EDT by Vincent Danen
Modified: 2016-01-31 21:03 EST (History)
25 users (show)

See Also:
Fixed In Version: apache-commons-compress 1.4.1, ant 1.8.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-24 05:12:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-04-05 18:17:39 EDT
A flaw was found in the Apache commons-compress Java library when compressing files using bzip2 compression.  If a malicious user were to provide a specially-crafted file to a service using commons-compress, it would take an extremely long time to compress the file, which could possibly lead to a denial of service.
Comment 6 David Jorm 2012-04-11 22:58:23 EDT
apache-commons-compress is shipped with JBoss Enterprise BRMS Platform 5.2.0. It is only used in the org.jbpm.process.workitem.archive.ArchiveWorkItemHandler class, which does not utilize bzip2 compression. Therefore JBoss Enterprise BRMS Platform 5.2.0 is not affected by this flaw.
Comment 7 David Jorm 2012-04-11 23:23:09 EDT
apache-commons-compress is shipped with JBoss Enterprise Portal Platform 5.2.0. The JAR is not utilized to do any compression operations, and therefore JBoss Enterprise Portal Platform 5.2.0 is not affected by this flaw.
Comment 12 Mikolaj Izdebski 2012-05-22 04:49:55 EDT
I have reviewed the upstream patch. The newly introduced fallback sort is definitely fixing the problem.
Comment 13 David Jorm 2012-05-22 23:37:29 EDT
Commons-compress is fixed in version 1.4.1. The relevant commits are revisions 1332540, 1332552, 1333522, 1337444, 1340715, 1340723, 1340757, 1340786, 1340787, 1340790, 1340795 and 1340799.
Comment 14 Mark J. Cox (Product Security) 2012-05-23 10:18:39 EDT
They made this public today, removing embargo.

https://commons.apache.org/compress/security.html
Comment 15 David Jorm 2012-05-23 23:33:35 EDT
Created apache-commons-compress tracking bugs for this issue

Affects: fedora-all [bug 824708]
Comment 18 Mikolaj Izdebski 2013-04-12 07:56:17 EDT
Reported to plexus-archiver upstream:
http://jira.codehaus.org/browse/PLXCOMP-219
Comment 19 Vincent Danen 2013-06-03 17:00:43 EDT
This issue affects Apache Ant as well, version 1.5 through to 1.8.3 (fixed in 1.8.4).


Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue in Red Hat Enterprise Linux 5 and 6 for Apache Ant. This issue does not affect the Apache commons-compress library as shipped with JBoss Enterprise BRMS Platform 5.2.0 or JBoss Enterprise Portal Platform 5.2.0.  For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.