snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee696b689615b4e1fd5944d945bbff82e36b09af commit ee696b689615b4e1fd5944d945bbff82e36b09af Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-10-21 06:52:31 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-10-22 07:23:41 +0000 dev-java/snappy: add 1.1.10.5 - CVE-2023-43642 Bug: https://bugs.gentoo.org/916063 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/33438 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/snappy/Manifest | 1 + .../snappy-1.1.10.5-SnappyOutputStreamTest.patch | 30 +++++ dev-java/snappy/snappy-1.1.10.5.ebuild | 125 +++++++++++++++++++++ 3 files changed, 156 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a0c5e51b3b2f1fa38d3fb3939167b2eff720854 commit 8a0c5e51b3b2f1fa38d3fb3939167b2eff720854 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-11-25 06:51:56 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-11-25 08:40:16 +0000 dev-java/snappy: drop 1.1.7.8-r1 Bug: https://bugs.gentoo.org/916063 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/snappy/Manifest | 1 - .../snappy/files/1.1.7.8-remove-perl-usage.patch | 38 ----- dev-java/snappy/files/1.x-build.xml | 185 --------------------- dev-java/snappy/snappy-1.1.7.8-r1.ebuild | 97 ----------- 4 files changed, 321 deletions(-)
the tree is clean now, you can proceed