Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

snappy-java: CVE-2023-43642

Related Vulnerabilities: CVE-2023-43642  

Source

Debian Bug report logs - #1053474
snappy-java: CVE-2023-43642

version graph

Package: src:snappy-java; Maintainer for src:snappy-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 4 Oct 2023 19:45:02 UTC

Severity: important

Tags: security, upstream

Found in version snappy-java/1.1.8.3-1

Fixed in version snappy-java/1.1.10.5-1

Done: tony mancill <tmancill@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1053474; Package src:snappy-java. (Wed, 04 Oct 2023 19:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 04 Oct 2023 19:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: snappy-java: CVE-2023-43642
Date: Wed, 04 Oct 2023 21:41:10 +0200
Source: snappy-java
Version: 1.1.8.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for snappy-java.

CVE-2023-43642[0]:
| snappy-java is a Java port of the snappy, a fast C++
| compresser/decompresser developed by Google. The SnappyInputStream
| was found to be vulnerable to Denial of Service (DoS) attacks when
| decompressing data with a too large chunk size. Due to missing upper
| bound check on chunk length, an unrecoverable fatal error can occur.
| All versions of snappy-java including the latest released version
| 1.1.10.3 are vulnerable to this issue. A fix has been introduced in
| commit `9f8c3cf74` which will be included in the 1.1.10.4 release.
| Users are advised to upgrade. Users unable to upgrade should only
| accept compressed data from trusted sources.

Please double check as mainly filling the issue to make you aware of
the upstream issue.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-43642
    https://www.cve.org/CVERecord?id=CVE-2023-43642
[1] https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5
[2] https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Thu, 05 Oct 2023 05:39:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 05 Oct 2023 05:39:10 GMT) (full text, mbox, link).

Message #10 received at 1053474-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1053474-close@bugs.debian.org
Subject: Bug#1053474: fixed in snappy-java 1.1.10.5-1
Date: Thu, 05 Oct 2023 05:34:05 +0000
Source: snappy-java
Source-Version: 1.1.10.5-1
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
snappy-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053474@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated snappy-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Oct 2023 22:03:02 -0700
Source: snappy-java
Architecture: source
Version: 1.1.10.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1053474
Changes:
 snappy-java (1.1.10.5-1) unstable; urgency=medium
 .
   * Team upload.
   * Update debian/watch to detect new tagging format
   * New upstream version 1.1.10.5
     - Mitigates CVE-2023-43642 (Closes: #1053474)
Checksums-Sha1:
 53448a763197edca566b41c564ca1080851299c8 2163 snappy-java_1.1.10.5-1.dsc
 3d1ec183db3b086b2326f0be1f45d6bfb1785eaa 982428 snappy-java_1.1.10.5.orig.tar.xz
 57d67416b44bf647aefd555baf550df260b8b991 7292 snappy-java_1.1.10.5-1.debian.tar.xz
 68c41bd9343f8734be5d328e6620bc93e44878eb 14912 snappy-java_1.1.10.5-1_amd64.buildinfo
Checksums-Sha256:
 3279f621cef7e697e7467f9befb372294f26667624b730a7a1e8522f1f2c7545 2163 snappy-java_1.1.10.5-1.dsc
 01ab2cc675e466853b55ec3d0ae3e02057e590921f55803e40798f4094711ed2 982428 snappy-java_1.1.10.5.orig.tar.xz
 a82d3d8df9f866292593ed2456203f9e5cc2f253db532d09b31f776ee9238e78 7292 snappy-java_1.1.10.5-1.debian.tar.xz
 342ba58a452fa2d4f345f4d3c7b4bf0529659fac7043776aaa0451494694d7cf 14912 snappy-java_1.1.10.5-1_amd64.buildinfo
Files:
 1330c5ee51912d4ccfd87196f62a759f 2163 java optional snappy-java_1.1.10.5-1.dsc
 7f2efd27a11107d6bf6b1294190a1307 982428 java optional snappy-java_1.1.10.5.orig.tar.xz
 efe597dec0d1d9b4b636d2dd982ac7f4 7292 java optional snappy-java_1.1.10.5-1.debian.tar.xz
 57ee67cc4596894993ffd4fbc384939e 14912 java optional snappy-java_1.1.10.5-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmUeRb0UHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpaCaxAAnt0atLc+Aqgz1uqQ6qQ6awY0ORhO
vavFzxtblwao7zfOItMawvl7WUXlFY9g1MNekF5hMdTJ8kypBXNzkb9YhRFrg0Jo
Y3melSdxVvPkpr3n1eHiPdXqUM28yaVB0dQw/32TNPmd0Y4Ws7ERfJnnAHhDL5xw
23KW3oj+S1qzHDRRPjfSibearZELEx3Rl5K6pZMC49jEIPMvzNOXmXrfBQoWRlaG
O3NLPXkFn5bW8MgBF8en3Jcs0dnle5uhf3cWYtU+1pFBk7WcaW26D2Z+pBQUevwx
7+zQ49fS9jJJJRPP/9DBzCdQnSO7iiQ/StX9Q0wADSUTbzJqEp/40reirjn6WNDU
ZD6hBi2so8OjZXN7RRj9XqmfEkk0ujvBXcrelLX84zoVOVauGTJtVbSCjiLMmHUV
YYIsHBdhro7pdk/ykHi6WQGWaIdUsmAzp87Jnydpz7TUGyXKhsbJky6Ynv0dcX0n
qO+XBpQek95IS7SeP9GHUz4I/M6cQkvxlcC6L1YqlSR63+9Rev2muOm3cnULEsdc
k9iXqtdwKqZfEFCzvwvofRwAvENC8RWwFt28mgyDs82e3u40FV+YvvYtQlyPTSZm
PCTLLcvCODGNukmUgQvHRUOrsjflEm2i4ArGJq1ZlgPYBI+A01twxTe78V9NwGKt
6ieyXluR6goOJ28=
=NT/f
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1053474; Package src:snappy-java. (Thu, 05 Oct 2023 17:33:02 GMT) (full text, mbox, link).

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 05 Oct 2023 17:33:02 GMT) (full text, mbox, link).

Message #15 received at 1053474@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>
To: 1053474@bugs.debian.org
Subject: Re: Bug#1053474: snappy-java: CVE-2023-43642
Date: Thu, 5 Oct 2023 10:31:30 -0700
[Message part 1 (text/plain, inline)]
On Wed, Oct 04, 2023 at 09:41:10PM +0200, Salvatore Bonaccorso wrote:
> Source: snappy-java
> Version: 1.1.8.3-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> The following vulnerability was published for snappy-java.
> 
> CVE-2023-43642[0]:
>
> ...(SNIP)...
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2023-43642
>     https://www.cve.org/CVERecord?id=CVE-2023-43642
> [1] https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5
> [2] https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv

The latest upstream version 1.1.10.5 has been uploaded to unstable.

I will look into what is required to apply the patch referenced above
against 1.1.8.3 for bookworm and bullseye.


[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Oct 5 17:53:00 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started