xref: /aosp_15_r20/external/apache-commons-compress/src/site/xdoc/security-reports.xml (revision ba8755cb0ae00084b4d58129cd522613d3299f27)

<?xml version="1.0"?>
<!--

   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   this work for additional information regarding copyright ownership.
   The ASF licenses this file to You under the Apache License, Version 2.0
   (the "License"); you may not use this file except in compliance with
   the License.  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
-->
<document>
    <properties>
        <title>Commons Compress Security Reports</title>
        <author email="[email protected]">Commons Documentation Team</author>
    </properties>
    <body>
      <section name="General Information">
        <p>For information about reporting or asking questions about
        security problems, please see the <a
        href="https://commons.apache.org/security.html">security page
        of the Commons project</a>.</p>
      </section>

      <section name="Apache Commons Compress Security Vulnerabilities">
        <p>This page lists all security vulnerabilities fixed in
        released versions of Apache Commons Compress. Each
        vulnerability is given a security impact rating by the
        development team - please note that this rating may vary from
        platform to platform. We also list the versions of Commons
        Compress the flaw is known to affect, and where a flaw has not
        been verified list the version with a question mark.</p>

        <p>Please note that binary patches are never provided. If you
        need to apply a source code patch, use the building
        instructions for the Commons Compress version that you are
        using.</p>

        <p>If you need help on building Commons Compress or other help
        on following the instructions to mitigate the known
        vulnerabilities listed here, please send your questions to the
        public <a href="mail-lists.html">Compress Users mailing
        list</a>.</p>

        <p>If you have encountered an unlisted security vulnerability
        or other unexpected behaviour that has security impact, or if
        the descriptions here are incomplete, please report them
        privately to the Apache Security Team. Thank you.</p>

        <subsection name="Fixed in Apache Commons Compress 1.18">
          <p><b>Low: Denial of Service</b> <a
          href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771">CVE-2018-11771</a></p>

          <p>When reading a specially crafted ZIP archive, the read
          method of <code>ZipArchiveInputStream</code> can fail to
          return the correct EOF indication after the end of the
          stream has been reached. When combined with a
          <code>java.io.InputStreamReader</code> this can lead to an
          infinite stream, which can be used to mount a denial of
          service attack against services that use Compress' zip
          package</p>

          <p>This was fixed in revision <a
          href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java;h=e1995d7aa51dfac6ae933987fb0b7760c607582b;hp=0a2c1aa0063c620c867715119eae2013c87b5e70;hb=a41ce6892cb0590b2e658704434ac0dbcb6834c8;hpb=64ed6dde03afbef6715fdfdeab5fc04be6192899">a41ce68</a>.</p>

          <p>This was first reported to the Security Team on 14 June
          2018 and made public on 16 August 2018.</p>

          <p>Affects: 1.7 - 1.17</p>

        </subsection>

        <subsection name="Fixed in Apache Commons Compress 1.16">
          <p><b>Low: Denial of Service</b> <a
          href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324">CVE-2018-1324</a></p>

          <p>A specially crafted ZIP archive can be used to cause an
          infinite loop inside of Compress' extra field parser used by
          the <code>ZipFile</code> and
          <code>ZipArchiveInputStream</code> classes.  This can be
          used to mount a denial of service attack against services
          that use Compress' zip package.</p>

          <p>This was fixed in revision <a
          href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2">2a2f1dc4</a>.</p>

          <p>This was first reported to the project's JIRA on <a
          href="https://issues.apache.org/jira/browse/COMPRESS-432">19
          December 2017</a>.</p>

          <p>Affects: 1.11 - 1.15</p>

        </subsection>

        <subsection name="Fixed in Apache Commons Compress 1.4.1">
          <p><b>Low: Denial of Service</b> <a
          href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098">CVE-2012-2098</a></p>

          <p>The bzip2 compressing streams in Apache Commons Compress
          internally use sorting algorithms with unacceptable
          worst-case performance on very repetitive inputs.  A
          specially crafted input to Compress'
          <code>BZip2CompressorOutputStream</code> can be used to make
          the process spend a very long time while using up all
          available processing time effectively leading to a denial of
          service.</p>

          <p>This was fixed in revisions
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1332540">1332540</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1332552">1332552</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1333522">1333522</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1337444">1337444</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340715">1340715</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340723">1340723</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340757">1340757</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340786">1340786</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340787">1340787</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340790">1340790</a>,
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340795">1340795</a> and
          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340799">1340799</a>.</p>

          <p>This was first reported to the Security Team on 12 April
          2012 and made public on 23 May 2012.</p>

          <p>Affects: 1.0 - 1.4</p>

        </subsection>
      </section>

      <section name="Errors and Ommissions">
        <p>Please report any errors or omissions to <a
        href="mail-lists.html">the dev mailing list</a>.</p>
      </section>
    </body>
</document>