Bug 951521 - plexus-archiver: Uses embedded bzip implementation from apache-commons-compress (making it vulnerable against CVE-2012-2098 flaw and possibly others)
plexus-archiver: Uses embedded bzip implementation from apache-commons-compre...
Product: Fedora
Classification: Fedora
Component: plexus-archiver (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Mikolaj Izdebski
Fedora Extras Quality Assurance
Depends On:
Blocks: 951522
  Show dependency treegraph
Reported: 2013-04-12 07:31 EDT by Jan Lieskovsky
Modified: 2013-05-13 00:21 EDT (History)
3 users (show)

See Also:
Fixed In Version: 2.3-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 951522 (view as bug list)
Last Closed: 2013-05-13 00:21:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch from Mikolaj Izdebski (original issue reporter) to correct this deficiency (95.45 KB, patch)
2013-04-12 07:32 EDT, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2013-04-12 07:31:06 EDT
Description of problem:
Current version of plexus-archiver package in Fedora 17 contains embedded bzip2 code implementation within the included apache-commons-compress source, which makes it vulnerable against the CVE-2012-2098 flaw (and possibly others).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1) Have a look at:

2) Compare it with upstream patch for CVE-2012-2098:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=810406#c17
Actual results:
Patch from [1] is applicable against (current) plexus-archiver package version in Fedora 17 too.

Expected results:
plexus-archiver should use system version of the apache-commons-compress package, which is available in Fedora 17 in order in case a similar flaw is found in apache-commons-compress package, it would not be needed to patch both (apache-commons-compress & plexus-archiver packages), but just to patch apache-commons-compress package would be sufficient.
Comment 1 Jan Lieskovsky 2013-04-12 07:32:15 EDT
Created attachment 734677 [details]
Proposed patch from Mikolaj Izdebski (original issue reporter) to correct this deficiency
Comment 2 Mikolaj Izdebski 2013-04-12 07:42:59 EDT
Fixed in plexus-archiver-2.3-1
Comment 3 Fedora Update System 2013-04-12 08:14:30 EDT
plexus-archiver-2.3-1.fc17 has been submitted as an update for Fedora 17.
Comment 4 Fedora Update System 2013-04-12 18:23:53 EDT
Package plexus-archiver-2.3-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing plexus-archiver-2.3-1.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 5 Mikolaj Izdebski 2013-05-13 00:21:07 EDT
I believe that this bug is fixed in plexus-archiver-2.3-1,
which is available in updates for Fedora 17, so I am closing this bug now.
Thank you for reporting it.  You are welcome to submit any further reports.

The build containing the fix can be found at Koji:

Note You need to log in before you can comment on or make changes to this bug.