Bug 810406 (CVE-2012-2098) - CVE-2012-2098 apache-commons-compress: denial of service flaw when compressing certain files
Summary: CVE-2012-2098 apache-commons-compress: denial of service flaw when compressin...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2012-2098
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 824708
Blocks: 810408 951526
TreeView+ depends on / blocked
 
Reported: 2012-04-05 22:17 UTC by Vincent Danen
Modified: 2021-02-24 12:44 UTC (History)
25 users (show)

Fixed In Version: apache-commons-compress 1.4.1, ant 1.8.4
Clone Of:
Environment:
Last Closed: 2019-06-10 10:58:27 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2012-04-05 22:17:39 UTC 
A flaw was found in the Apache commons-compress Java library when compressing files using bzip2 compression.  If a malicious user were to provide a specially-crafted file to a service using commons-compress, it would take an extremely long time to compress the file, which could possibly lead to a denial of service.
Comment 6 David Jorm 2012-04-12 02:58:23 UTC 
apache-commons-compress is shipped with JBoss Enterprise BRMS Platform 5.2.0. It is only used in the org.jbpm.process.workitem.archive.ArchiveWorkItemHandler class, which does not utilize bzip2 compression. Therefore JBoss Enterprise BRMS Platform 5.2.0 is not affected by this flaw.
Comment 7 David Jorm 2012-04-12 03:23:09 UTC 
apache-commons-compress is shipped with JBoss Enterprise Portal Platform 5.2.0. The JAR is not utilized to do any compression operations, and therefore JBoss Enterprise Portal Platform 5.2.0 is not affected by this flaw.
Comment 11 David Jorm 2012-05-22 01:14:01 UTC 
A patched upstream build is available as a snapshot:

https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-compress/1.4.1-SNAPSHOT/commons-compress-1.4.1-20120521.112059-5.jar
Comment 12 Mikolaj Izdebski 2012-05-22 08:49:55 UTC 
I have reviewed the upstream patch. The newly introduced fallback sort is definitely fixing the problem.
Comment 13 David Jorm 2012-05-23 03:37:29 UTC 
Commons-compress is fixed in version 1.4.1. The relevant commits are revisions 1332540, 1332552, 1333522, 1337444, 1340715, 1340723, 1340757, 1340786, 1340787, 1340790, 1340795 and 1340799.
Comment 14 Mark J. Cox 2012-05-23 14:18:39 UTC 
They made this public today, removing embargo.

https://commons.apache.org/compress/security.html
Comment 15 David Jorm 2012-05-24 03:33:35 UTC 
Created apache-commons-compress tracking bugs for this issue

Affects: fedora-all [bug 824708]
Comment 17 Jan Lieskovsky 2012-05-24 10:58:34 UTC 
http://commons.apache.org/compress/security.html
http://ant.apache.org/security.html

Upstream patches:
http://svn.apache.org/viewvc?view=revision&revision=1340895
http://svn.apache.org/viewvc?view=revision&revision=1340990

References:
http://secunia.com/advisories/49286/
Comment 18 Mikolaj Izdebski 2013-04-12 11:56:17 UTC 
Reported to plexus-archiver upstream:
http://jira.codehaus.org/browse/PLXCOMP-219
Comment 19 Vincent Danen 2013-06-03 21:00:43 UTC 
This issue affects Apache Ant as well, version 1.5 through to 1.8.3 (fixed in 1.8.4).


Statement:

This issue does not affect the Apache commons-compress library as shipped with JBoss Enterprise BRMS Platform 5.2.0 or JBoss Enterprise Portal Platform 5.2.0.
Note You need to log in before you can comment on or make changes to this bug.