http://ant.apache.org/security.html Low: Denial of Service CVE-2012-2098 The bzip2 compressing streams in Apache Ant internally use sorting algorithms with unacceptable worst-case performance on very repetitive inputs. A specially crafted input to Ants' <bzip2> task can be used to make the process spend a very long time while using up all available processing time effectively leading to a denial of service. This was fixed in revisions 1340895 and 1340990. This was first reported to the Security Team on 12 April 2012 and made public on 23 May 2012. Affects: 1.5 - 1.8.3 Please add 1.8.4 to the tree.
The vulnerability is caused due to the application bundling a vulnerable version of the Apache Commons Compress library. For more information: SA49255 The vulnerability is reported in versions 1.5 through 1.8.3. Solution Update to version 1.8.4. Original Advisory http://ant.apache.org/security.html
The following packages are now in tree. As the severity is low I don't CC archs just yet. =dev-java/ant-1.8.4 =dev-java/ant-antlr-1.8.4 =dev-java/ant-apache-bcel-1.8.4 =dev-java/ant-apache-bsf-1.8.4 =dev-java/ant-apache-log4j-1.8.4 =dev-java/ant-apache-oro-1.8.4 =dev-java/ant-apache-regexp-1.8.4 =dev-java/ant-apache-resolver-1.8.4 =dev-java/ant-apache-xalan2-1.8.4 =dev-java/ant-commons-logging-1.8.4 =dev-java/ant-commons-net-1.8.4 =dev-java/ant-core-1.8.4 =dev-java/ant-jai-1.8.4 =dev-java/ant-javamail-1.8.4 =dev-java/ant-jdepend-1.8.4 =dev-java/ant-jmf-1.8.4 =dev-java/ant-jsch-1.8.4 =dev-java/ant-junit-1.8.4 =dev-java/ant-junit4-1.8.4 =dev-java/ant-nodeps-1.8.4 =dev-java/ant-swing-1.8.4 =dev-java/ant-testutil-1.8.4 =dev-java/ant-trax-1.8.4
Thanks Ralph and Manuel for reporting
commons-compress-1.4.1 now also added to the tree, it got a new additional dependency (dev-java/xz-java), so when things go stable, the targets would be =dev-java/commons-compress-1.4.1 =dev-java/xz-java-1.0
Adding archs. Please stabilize Ant 1.8.4. A full list of packages can be found in comment 2. Target keywords are amd64 ppc ppc64 x86. Please also stabilize commons-compress and xz-java as listed in comment 4: Target keywords are amd64 x86. Thanks.
amd64 stable
x86 stable
CVE-2012-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2098): Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
ppc stable.
ppc64 stable
Thanks, everyone. GLSA vote: no.
Thanks, everyone. GLSA Vote: no. Closing noglsa.
