951522 – plexus-archiver: Uses embedded bzip implementation from apache-commons-compress (making it vulnerable against CVE-2012-2098 flaw and possibly others)

Bug 951522 - plexus-archiver: Uses embedded bzip implementation from apache-commons-compress (making it vulnerable against CVE-2012-2098 flaw and possibly others)

Summary: plexus-archiver: Uses embedded bzip implementation from apache-commons-compre...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	plexus-archiver
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Mikolaj Izdebski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	951521
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-12 11:34 UTC by Jan Lieskovsky
Modified:	2013-05-13 04:21 UTC (History)
CC List:	3 users (show)
Fixed In Version:	2.3-1
Clone Of:	951521
Environment:
Last Closed:	2013-05-13 04:21:11 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Proposed patch from Mikolaj Izdebski (original issue reporter) to correct this deficiency (95.45 KB, patch) 2013-04-12 11:35 UTC, Jan Lieskovsky	no flags	Details \| Diff
View All

Description Jan Lieskovsky 2013-04-12 11:34:48 UTC

+++ This bug was initially created as a clone of Bug #951521 +++

Description of problem:
Current version of plexus-archiver package in Fedora 18 contains embedded bzip2 code implementation within the included apache-commons-compress source, which makes it vulnerable against the CVE-2012-2098 flaw (and possibly others).

Version-Release number of selected component (if applicable):
plexus-archiver-2.1.1-2.fc18

How reproducible:
Always

Steps to Reproduce:
1) Have a look at:
  /root/rpmbuild/BUILD/sonatype-plexus-archiver-25364f5/src/main/java/org/codehaus/plexus/archiver/bzip2

2) Compare it with upstream patch for CVE-2012-2098:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=810406#c17
  
Actual results:
Patch from [1] is applicable against (current) plexus-archiver package version in Fedora 18 too.

Expected results:
plexus-archiver should use system version of the apache-commons-compress package, which is available in Fedora 18 in order in case a similar flaw is found in apache-commons-compress package, it would not be needed to patch both (apache-commons-compress & plexus-archiver packages), but just to patch apache-commons-compress package would be sufficient.

Comment 1 Jan Lieskovsky 2013-04-12 11:35:31 UTC

Created attachment 734678 [details]
Proposed patch from Mikolaj Izdebski (original issue reporter) to correct this deficiency

Comment 2 Mikolaj Izdebski 2013-04-12 11:42:31 UTC

Fixed in plexus-archiver-2.3-1

Comment 3 Fedora Update System 2013-04-12 12:13:20 UTC

plexus-archiver-2.3-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/plexus-archiver-2.3-1.fc18

Comment 4 Fedora Update System 2013-04-12 22:24:39 UTC

Package plexus-archiver-2.3-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing plexus-archiver-2.3-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5548/plexus-archiver-2.3-1.fc18
then log in and leave karma (feedback).

Comment 5 Mikolaj Izdebski 2013-05-13 04:21:11 UTC

I believe that this bug is fixed in plexus-archiver-2.3-1,
which is available in updates for Fedora 18, so I am closing this bug now.
Thank you for reporting it.  You are welcome to submit any further reports.

The build containing the fix can be found at Koji:
http://koji.fedoraproject.org/koji/buildinfo?buildID=411158

Note You need to log in before you can comment on or make changes to this bug.