+++ This bug was initially created as a clone of Bug #951521 +++
Description of problem:
Current version of plexus-archiver package in Fedora 18 contains embedded bzip2 code implementation within the included apache-commons-compress source, which makes it vulnerable against the CVE-2012-2098 flaw (and possibly others).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1) Have a look at:
2) Compare it with upstream patch for CVE-2012-2098:
Patch from  is applicable against (current) plexus-archiver package version in Fedora 18 too.
plexus-archiver should use system version of the apache-commons-compress package, which is available in Fedora 18 in order in case a similar flaw is found in apache-commons-compress package, it would not be needed to patch both (apache-commons-compress & plexus-archiver packages), but just to patch apache-commons-compress package would be sufficient.
Created attachment 734678 [details]
Proposed patch from Mikolaj Izdebski (original issue reporter) to correct this deficiency
Fixed in plexus-archiver-2.3-1
plexus-archiver-2.3-1.fc18 has been submitted as an update for Fedora 18.
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing plexus-archiver-2.3-1.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
I believe that this bug is fixed in plexus-archiver-2.3-1,
which is available in updates for Fedora 18, so I am closing this bug now.
Thank you for reporting it. You are welcome to submit any further reports.
The build containing the fix can be found at Koji: