Summary: | <dev-java/ant-1.8.4, <dev-java/commons-compress-1.4.1 - Bzip2 Compression Denial of Service Vulnerability (CVE-2012-2098) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Manuel Rüger (RETIRED) <mrueg> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | java, tommy |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/49286/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Manuel Rüger (RETIRED)
2012-05-28 03:11:27 UTC
The vulnerability is caused due to the application bundling a vulnerable version of the Apache Commons Compress library. For more information: SA49255 The vulnerability is reported in versions 1.5 through 1.8.3. Solution Update to version 1.8.4. Original Advisory http://ant.apache.org/security.html The following packages are now in tree. As the severity is low I don't CC archs just yet. =dev-java/ant-1.8.4 =dev-java/ant-antlr-1.8.4 =dev-java/ant-apache-bcel-1.8.4 =dev-java/ant-apache-bsf-1.8.4 =dev-java/ant-apache-log4j-1.8.4 =dev-java/ant-apache-oro-1.8.4 =dev-java/ant-apache-regexp-1.8.4 =dev-java/ant-apache-resolver-1.8.4 =dev-java/ant-apache-xalan2-1.8.4 =dev-java/ant-commons-logging-1.8.4 =dev-java/ant-commons-net-1.8.4 =dev-java/ant-core-1.8.4 =dev-java/ant-jai-1.8.4 =dev-java/ant-javamail-1.8.4 =dev-java/ant-jdepend-1.8.4 =dev-java/ant-jmf-1.8.4 =dev-java/ant-jsch-1.8.4 =dev-java/ant-junit-1.8.4 =dev-java/ant-junit4-1.8.4 =dev-java/ant-nodeps-1.8.4 =dev-java/ant-swing-1.8.4 =dev-java/ant-testutil-1.8.4 =dev-java/ant-trax-1.8.4 Thanks Ralph and Manuel for reporting commons-compress-1.4.1 now also added to the tree, it got a new additional dependency (dev-java/xz-java), so when things go stable, the targets would be =dev-java/commons-compress-1.4.1 =dev-java/xz-java-1.0 Adding archs. Please stabilize Ant 1.8.4. A full list of packages can be found in comment 2. Target keywords are amd64 ppc ppc64 x86. Please also stabilize commons-compress and xz-java as listed in comment 4: Target keywords are amd64 x86. Thanks. amd64 stable x86 stable CVE-2012-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2098): Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. ppc stable. ppc64 stable Thanks, everyone. GLSA vote: no. Thanks, everyone. GLSA Vote: no. Closing noglsa. |