1<?xml version="1.0"?> 2<!-- 3 4 Licensed to the Apache Software Foundation (ASF) under one or more 5 contributor license agreements. See the NOTICE file distributed with 6 this work for additional information regarding copyright ownership. 7 The ASF licenses this file to You under the Apache License, Version 2.0 8 (the "License"); you may not use this file except in compliance with 9 the License. You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18--> 19<document> 20 <properties> 21 <title>Commons Compress Security Reports</title> 22 <author email="dev@commons.apache.org">Commons Documentation Team</author> 23 </properties> 24 <body> 25 <section name="General Information"> 26 <p>For information about reporting or asking questions about 27 security problems, please see the <a 28 href="https://commons.apache.org/security.html">security page 29 of the Commons project</a>.</p> 30 </section> 31 32 <section name="Apache Commons Compress Security Vulnerabilities"> 33 <p>This page lists all security vulnerabilities fixed in 34 released versions of Apache Commons Compress. Each 35 vulnerability is given a security impact rating by the 36 development team - please note that this rating may vary from 37 platform to platform. We also list the versions of Commons 38 Compress the flaw is known to affect, and where a flaw has not 39 been verified list the version with a question mark.</p> 40 41 <p>Please note that binary patches are never provided. If you 42 need to apply a source code patch, use the building 43 instructions for the Commons Compress version that you are 44 using.</p> 45 46 <p>If you need help on building Commons Compress or other help 47 on following the instructions to mitigate the known 48 vulnerabilities listed here, please send your questions to the 49 public <a href="mail-lists.html">Compress Users mailing 50 list</a>.</p> 51 52 <p>If you have encountered an unlisted security vulnerability 53 or other unexpected behaviour that has security impact, or if 54 the descriptions here are incomplete, please report them 55 privately to the Apache Security Team. Thank you.</p> 56 57 <subsection name="Fixed in Apache Commons Compress 1.18"> 58 <p><b>Low: Denial of Service</b> <a 59 href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771">CVE-2018-11771</a></p> 60 61 <p>When reading a specially crafted ZIP archive, the read 62 method of <code>ZipArchiveInputStream</code> can fail to 63 return the correct EOF indication after the end of the 64 stream has been reached. When combined with a 65 <code>java.io.InputStreamReader</code> this can lead to an 66 infinite stream, which can be used to mount a denial of 67 service attack against services that use Compress' zip 68 package</p> 69 70 <p>This was fixed in revision <a 71 href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java;h=e1995d7aa51dfac6ae933987fb0b7760c607582b;hp=0a2c1aa0063c620c867715119eae2013c87b5e70;hb=a41ce6892cb0590b2e658704434ac0dbcb6834c8;hpb=64ed6dde03afbef6715fdfdeab5fc04be6192899">a41ce68</a>.</p> 72 73 <p>This was first reported to the Security Team on 14 June 74 2018 and made public on 16 August 2018.</p> 75 76 <p>Affects: 1.7 - 1.17</p> 77 78 </subsection> 79 80 <subsection name="Fixed in Apache Commons Compress 1.16"> 81 <p><b>Low: Denial of Service</b> <a 82 href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324">CVE-2018-1324</a></p> 83 84 <p>A specially crafted ZIP archive can be used to cause an 85 infinite loop inside of Compress' extra field parser used by 86 the <code>ZipFile</code> and 87 <code>ZipArchiveInputStream</code> classes. This can be 88 used to mount a denial of service attack against services 89 that use Compress' zip package.</p> 90 91 <p>This was fixed in revision <a 92 href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2">2a2f1dc4</a>.</p> 93 94 <p>This was first reported to the project's JIRA on <a 95 href="https://issues.apache.org/jira/browse/COMPRESS-432">19 96 December 2017</a>.</p> 97 98 <p>Affects: 1.11 - 1.15</p> 99 100 </subsection> 101 102 <subsection name="Fixed in Apache Commons Compress 1.4.1"> 103 <p><b>Low: Denial of Service</b> <a 104 href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098">CVE-2012-2098</a></p> 105 106 <p>The bzip2 compressing streams in Apache Commons Compress 107 internally use sorting algorithms with unacceptable 108 worst-case performance on very repetitive inputs. A 109 specially crafted input to Compress' 110 <code>BZip2CompressorOutputStream</code> can be used to make 111 the process spend a very long time while using up all 112 available processing time effectively leading to a denial of 113 service.</p> 114 115 <p>This was fixed in revisions 116 <a href="https://svn.apache.org/viewvc?view=revision&revision=1332540">1332540</a>, 117 <a href="https://svn.apache.org/viewvc?view=revision&revision=1332552">1332552</a>, 118 <a href="https://svn.apache.org/viewvc?view=revision&revision=1333522">1333522</a>, 119 <a href="https://svn.apache.org/viewvc?view=revision&revision=1337444">1337444</a>, 120 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340715">1340715</a>, 121 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340723">1340723</a>, 122 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340757">1340757</a>, 123 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340786">1340786</a>, 124 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340787">1340787</a>, 125 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340790">1340790</a>, 126 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340795">1340795</a> and 127 <a href="https://svn.apache.org/viewvc?view=revision&revision=1340799">1340799</a>.</p> 128 129 <p>This was first reported to the Security Team on 12 April 130 2012 and made public on 23 May 2012.</p> 131 132 <p>Affects: 1.0 - 1.4</p> 133 134 </subsection> 135 </section> 136 137 <section name="Errors and Ommissions"> 138 <p>Please report any errors or omissions to <a 139 href="mail-lists.html">the dev mailing list</a>.</p> 140 </section> 141 </body> 142</document> 143