Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 916063 (CVE-2023-43642)

Summary: <dev-java/snappy-1.1.10.5: Denial of Service
Product: Gentoo Security Reporter: Volkmar W. Pogatzki <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: fordfrog, java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/33438
https://github.com/gentoo/gentoo/pull/33973
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 917560    
Bug Blocks:    

Description Volkmar W. Pogatzki 2023-10-21 07:14:46 UTC 
snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
Comment 1 Larry the Git Cow gentoo-dev 2023-10-22 07:26:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee696b689615b4e1fd5944d945bbff82e36b09af

commit ee696b689615b4e1fd5944d945bbff82e36b09af
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-10-21 06:52:31 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-10-22 07:23:41 +0000

    dev-java/snappy: add 1.1.10.5 - CVE-2023-43642
    
    Bug: https://bugs.gentoo.org/916063
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/33438
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snappy/Manifest                           |   1 +
 .../snappy-1.1.10.5-SnappyOutputStreamTest.patch   |  30 +++++
 dev-java/snappy/snappy-1.1.10.5.ebuild             | 125 +++++++++++++++++++++
 3 files changed, 156 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-11-25 08:40:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a0c5e51b3b2f1fa38d3fb3939167b2eff720854

commit 8a0c5e51b3b2f1fa38d3fb3939167b2eff720854
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-11-25 06:51:56 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-11-25 08:40:16 +0000

    dev-java/snappy: drop 1.1.7.8-r1
    
    Bug: https://bugs.gentoo.org/916063
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snappy/Manifest                           |   1 -
 .../snappy/files/1.1.7.8-remove-perl-usage.patch   |  38 -----
 dev-java/snappy/files/1.x-build.xml                | 185 ---------------------
 dev-java/snappy/snappy-1.1.7.8-r1.ebuild           |  97 -----------
 4 files changed, 321 deletions(-)
Comment 3 Miroslav Šulc gentoo-dev 2023-11-25 08:41:27 UTC 
the tree is clean now, you can proceed