916063 – (CVE-2023-43642) <dev-java/snappy-1.1.10.5: Denial of Service

Bug 916063 (CVE-2023-43642) - <dev-java/snappy-1.1.10.5: Denial of Service

Summary: <dev-java/snappy-1.1.10.5: Denial of Service

Status:	IN_PROGRESS

Alias:	CVE-2023-43642

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:	PullRequest

Depends on:	917560
Blocks:
	Show dependency tree

Reported:	2023-10-21 07:14 UTC by Volkmar W. Pogatzki
Modified:	2023-11-25 09:40 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/33438 https://github.com/gentoo/gentoo/pull/33973
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkmar W. Pogatzki 2023-10-21 07:14:46 UTC

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

Comment 1 Larry the Git Cow gentoo-dev

2023-10-22 07:26:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee696b689615b4e1fd5944d945bbff82e36b09af

commit ee696b689615b4e1fd5944d945bbff82e36b09af
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-10-21 06:52:31 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-10-22 07:23:41 +0000

    dev-java/snappy: add 1.1.10.5 - CVE-2023-43642
    
    Bug: https://bugs.gentoo.org/916063
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/33438
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snappy/Manifest                           |   1 +
 .../snappy-1.1.10.5-SnappyOutputStreamTest.patch   |  30 +++++
 dev-java/snappy/snappy-1.1.10.5.ebuild             | 125 +++++++++++++++++++++
 3 files changed, 156 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-11-25 08:40:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a0c5e51b3b2f1fa38d3fb3939167b2eff720854

commit 8a0c5e51b3b2f1fa38d3fb3939167b2eff720854
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-11-25 06:51:56 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-11-25 08:40:16 +0000

    dev-java/snappy: drop 1.1.7.8-r1
    
    Bug: https://bugs.gentoo.org/916063
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snappy/Manifest                           |   1 -
 .../snappy/files/1.1.7.8-remove-perl-usage.patch   |  38 -----
 dev-java/snappy/files/1.x-build.xml                | 185 ---------------------
 dev-java/snappy/snappy-1.1.7.8-r1.ebuild           |  97 -----------
 4 files changed, 321 deletions(-)

Comment 3 Miroslav Šulc gentoo-dev

2023-11-25 08:41:27 UTC

the tree is clean now, you can proceed