Bug 1982336 (CVE-2021-36373) - CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive
Summary: CVE-2021-36373 ant: excessive memory allocation when reading a specially craf...
Keywords:
Status: NEW
Alias: CVE-2021-36373
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1982337 1982338 1982339 1988326 1988327 1988328 1984960 1984961 1988325 1988329
Blocks: 1982341
TreeView+ depends on / blocked
 
Reported: 2021-07-14 17:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-15 11:51 UTC (History)
79 users (show)

Fixed In Version: Apache Ant 1.9.16, Ant 1.10.11
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-07-14 17:53:36 UTC
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Reference:
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E

Comment 1 Guilherme de Almeida Suckevicz 2021-07-14 17:54:22 UTC
Created ant tracking bugs for this issue:

Affects: fedora-all [bug 1982338]


Created ant:1.10/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982337]


Created javapackages-bootstrap:202001/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982339]


Note You need to log in before you can comment on or make changes to this bug.