CVE-2021-35515 (https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E): When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35516 (https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E): When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35517 (https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E): When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. CVE-2021-36090 (https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E): When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Fixes in 1.21, please bump
the new version introduces a dependency on asm (3.2). i was not able to compile the new version of commons-compress against asm:9 nor asm:5 so it seems we need to package asm-3.3.1 first to be able to bump commons-compress to 1.21.
Package list is empty or all packages have requested keywords.
(In reply to Miroslav Šulc from comment #1) > the new version introduces a dependency on asm (3.2). i was not able to > compile the new version of commons-compress against asm:9 nor asm:5 so it > seems we need to package asm-3.3.1 first to be able to bump commons-compress > to 1.21. Upstream should lift to newer asm version: https://issues.apache.org/jira/browse/COMPRESS-582
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67f37a4652c157fd4e616cbb052f725d84dd3315 commit 67f37a4652c157fd4e616cbb052f725d84dd3315 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-10-12 06:51:38 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-10-12 06:51:48 +0000 dev-java/commons-compress: bump to 1.21 Bug: https://bugs.gentoo.org/802078 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-compress/Manifest | 1 + .../commons-compress/commons-compress-1.21.ebuild | 73 +++++++++ .../files/commons-compress-1.21-asm7+.patch | 164 +++++++++++++++++++++ 3 files changed, 238 insertions(+)
i'd wait a week or so before stabilization as we do not have tests implemented for this package
(In reply to Miroslav Šulc from comment #11) > i'd wait a week or so before stabilization as we do not have tests > implemented for this package Fine by me, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c643dd06d913de966f7c75763381d118a2064d06 commit c643dd06d913de966f7c75763381d118a2064d06 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-11-12 12:31:00 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-11-12 12:31:00 +0000 dev-java/commons-compress: removed obsolete and vulnerable 1.20 Bug: https://bugs.gentoo.org/802078 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-compress/Manifest | 1 - .../commons-compress/commons-compress-1.20.ebuild | 41 ---------------------- 2 files changed, 42 deletions(-)
the tree is clean now, you can proceed.
Thank you!
