Bug 1982331 (CVE-2021-36374) - CVE-2021-36374 ant: excessive memory allocation when reading a specially crafted ZIP archive or a derived formats
Summary: CVE-2021-36374 ant: excessive memory allocation when reading a specially craf...
Keywords:
Status: NEW
Alias: CVE-2021-36374
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1982332 1982333 1982334 1984963 1984964 1988319 1988320 1988321 1988322 1988323
Blocks: 1982341
TreeView+ depends on / blocked
 
Reported: 2021-07-14 17:51 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-02-01 03:42 UTC (History)
62 users (show)

Fixed In Version: Apache Ant 1.9.16, Ant 1.10.11
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-07-14 17:51:37 UTC 
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Reference:
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
Comment 1 Guilherme de Almeida Suckevicz 2021-07-14 17:52:23 UTC 
Created ant tracking bugs for this issue:

Affects: fedora-all [bug 1982332]


Created ant:1.10/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982333]


Created javapackages-bootstrap:202001/ant tracking bugs for this issue:

Affects: fedora-all [bug 1982334]
Comment 8 Hardik Vyas 2021-07-22 14:32:34 UTC 
Upstream fix: https://github.com/apache/ant/commit/6594a2d66f7f060dafcbbf094dd60676db19a842
Note You need to log in before you can comment on or make changes to this bug.