Debian Bug report logs -
#893174
libcommons-compress-java: CVE-2018-1324: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#893174; Package src:libcommons-compress-java.
(Sat, 17 Mar 2018 06:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 17 Mar 2018 06:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libcommons-compress-java
Version: 1.13-1
Severity: important
Tags: patch security upstream
Forwarded: https://issues.apache.org/jira/browse/COMPRESS-432
Hi,
the following vulnerability was published for libcommons-compress-java.
CVE-2018-1324[0]:
| A specially crafted ZIP archive can be used to cause an infinite loop
| inside of Apache Commons Compress' extra field parser used by the
| ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15.
| This can be used to mount a denial of service attack against services
| that use Compress' zip package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1324
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324
[1] https://issues.apache.org/jira/browse/COMPRESS-432
[2] https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#893174; Package src:libcommons-compress-java.
(Mon, 09 Apr 2018 04:09:05 GMT) (full text, mbox, link).
Message #8 received at 893174@bugs.debian.org (full text, mbox, reply):
tag 893174 + pending
thanks
Some bugs in the libcommons-compress-java package are closed in
revision e16c99b56d29473b064ce3351b66cedf721a8bc8 in branch 'master'
by tony mancill
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/libcommons-compress-java.git/commit/?id=e16c99b
Commit message:
Apply patch for CVE-2018-1324 (Closes: #893174)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 09 Apr 2018 04:09:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#893174.
(Mon, 09 Apr 2018 04:09:08 GMT) (full text, mbox, link).
Reply sent
to tony mancill <tmancill@debian.org>:
You have taken responsibility.
(Mon, 09 Apr 2018 09:00:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 09 Apr 2018 09:00:07 GMT) (full text, mbox, link).
Message #18 received at 893174-close@bugs.debian.org (full text, mbox, reply):
Source: libcommons-compress-java
Source-Version: 1.13-2
We believe that the bug you reported is fixed in the latest version of
libcommons-compress-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893174@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated libcommons-compress-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Apr 2018 20:58:50 -0700
Source: libcommons-compress-java
Binary: libcommons-compress-java
Architecture: source all
Version: 1.13-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description:
libcommons-compress-java - Java API for working with compression and archive formats
Closes: 893174
Changes:
libcommons-compress-java (1.13-2) unstable; urgency=medium
.
* Team upload.
* Apply patch for CVE-2018-1324 (Closes: #893174)
* Use debhelper 11
* Update Homepage
* Update debian/watch to repack with xz compression
* Drop get-orig-source target from debian/rules
* Bump Standards-Version to 4.1.4
Checksums-Sha1:
04ce355fe27300ee6c77add72373e3f8a1d0b956 2387 libcommons-compress-java_1.13-2.dsc
b4ca4f57dc337a10e49fd429419fa15a1f273f56 4532 libcommons-compress-java_1.13-2.debian.tar.xz
554e21ebf4b69e4e084e999dca7a12969f783bb5 430140 libcommons-compress-java_1.13-2_all.deb
f24a792ff6462e4ee246f1433e4c47a2864b8096 16492 libcommons-compress-java_1.13-2_amd64.buildinfo
Checksums-Sha256:
7bf642056cd591d189d070954d2dffed0ba393df7e0b63e01b3345f8766c5d1b 2387 libcommons-compress-java_1.13-2.dsc
828e93c76c932e330c91c82b190ad64be73b5ead266d7aebe9d882e6e527d85f 4532 libcommons-compress-java_1.13-2.debian.tar.xz
610c27274bd98979321035f855e771b843222d257ac937d1035bf4fdeaa8f9c7 430140 libcommons-compress-java_1.13-2_all.deb
bcd1f7331caeec74471f24b0c90c5a504239fec212f2958c5b7e828ef7164627 16492 libcommons-compress-java_1.13-2_amd64.buildinfo
Files:
26cb8848c85d7513b2d45ae2a41eb0b8 2387 java optional libcommons-compress-java_1.13-2.dsc
700df1a46ea1145c955120505e68871e 4532 java optional libcommons-compress-java_1.13-2.debian.tar.xz
d064da40700609e27106f862f517f11c 430140 java optional libcommons-compress-java_1.13-2_all.deb
0b0845d28d54fd1e8ff905f8fbe55c1d 16492 java optional libcommons-compress-java_1.13-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAlrK5oYUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb9xQ//f5KzhvuAIXFjvNA2LKkpajPsRCT4
tvgs6D4V8I5Wk8ac6B2Yr7lhK4FUWoWGwOYckhytPFmqkJIlt6EG88oaF22tdO+y
NmQFyQrtfCyzF2y/8+5AjRfpH4/QrTb6RxWH/yElqGGbVnghoI5UHX0hpZ0vTeWU
vDhpebVlVrHwftzche+S/p6BlDgaFttozgRvPcNUI0lwbGDEr5DIdMkWBi9e+wtT
GOpONNkaXSYEjCQ29Sho1oRaorOji98KfDvO/DhHZfWd1J/MFdeff9UmsNM+johe
KC1MnCSmbT5M/DyoFABC1KlbGRb+YLHlaGCnPOmypFxhEkP+Qe1DaaiVzVj8rYKO
bKRziaRbYHTJtQwRiynYdmrLVJQ0QL7g8gZCKe56GOkVwtXe29rJZJtSUg/P6s3z
idfrkboSVavH62z+dRTxmXsLdbea7xrgXWFb5paFAxAGO7bYfNAh4EQwKY+lWJIs
coO3zhid2gKQ5K0BaJYemBWwoJBshYqzMM13WQPsUq6CnVt5AXtTlpx5qbz6h4wF
5Co0jJOb4uXDcvx9ugh0DdIvBSlcRq0Clchzew6uR8NkQbu4IWajG9aHFkyeDgwy
zUjU5lynADYF5n6s9RHOYINSL4hI7FmbeKE7nCyNTKDOV5x0nDAosXfCBCl53tvy
qMZzqTIWuNjGeTA=
=y5Vc
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#893174; Package src:libcommons-compress-java.
(Mon, 09 Apr 2018 13:49:34 GMT) (full text, mbox, link).
Message #21 received at 893174@bugs.debian.org (full text, mbox, reply):
tag 893174 + pending
thanks
Some bugs in the libcommons-compress-java package are closed in
revision 68fba1efd66fa1d22ca4bc139f864205d9528478 in branch '
stretch' by tony mancill
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/libcommons-compress-java.git/commit/?id=68fba1e
Commit message:
Apply patch for CVE-2018-1324 (Closes: #893174)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 09 Apr 2018 13:50:58 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#893174.
(Mon, 09 Apr 2018 13:51:40 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 12 May 2018 07:29:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:48:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon