Debian Bug report logs -
#906301
libcommons-compress-java: CVE-2018-11771: denial of service vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 16 Aug 2018 19:06:01 UTC
Severity: important
Tags: security, upstream
Found in version libcommons-compress-java/1.9-1
Fixed in version libcommons-compress-java/1.18-1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#906301; Package src:libcommons-compress-java.
(Thu, 16 Aug 2018 19:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 16 Aug 2018 19:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libcommons-compress-java
Version: 1.9-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libcommons-compress-java.
CVE-2018-11771[0]:
| When reading a specially crafted ZIP archive, the read method of
| Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail
| to return the correct EOF indication after the end of the stream has
| been reached. When combined with a java.io.InputStreamReader this can
| lead to an infinite stream, which can be used to mount a denial of
| service attack against services that use Compress' zip package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771
[1] http://www.openwall.com/lists/oss-security/2018/08/16/2
Regards,
Salvatore
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Wed, 22 Aug 2018 21:00:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 22 Aug 2018 21:00:18 GMT) (full text, mbox, link).
Message #10 received at 906301-close@bugs.debian.org (full text, mbox, reply):
Source: libcommons-compress-java
Source-Version: 1.18-1
We believe that the bug you reported is fixed in the latest version of
libcommons-compress-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 906301@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libcommons-compress-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Aug 2018 21:43:55 +0200
Source: libcommons-compress-java
Binary: libcommons-compress-java
Architecture: source
Version: 1.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libcommons-compress-java - Java API for working with compression and archive formats
Closes: 906301
Changes:
libcommons-compress-java (1.18-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.18.
- Fix CVE-2018-11771.
When reading a specially crafted ZIP archive, the read method of Apache
Commons Compress ZipArchiveInputStream can fail to return the correct EOF
indication after the end of the stream has been reached. When combined
with a java.io.InputStreamReader this can lead to an infinite stream,
which can be used to mount a denial of service attack against services
that use Compress' zip package. Thanks to Salvatore Bonaccorso for the
report. (Closes: #906301)
* Declare compliance with Debian Policy 4.2.0.
Checksums-Sha1:
e7edd17a8c96324ce991125159421d34648b216c 2523 libcommons-compress-java_1.18-1.dsc
0cb89bb5f56874d1d2ba75e6d918488fea738dbe 9039040 libcommons-compress-java_1.18.orig.tar.xz
164d9b33787c24b6dcdc67ccdfaa69d3ec0a3f36 5828 libcommons-compress-java_1.18-1.debian.tar.xz
2e8dc0863e573b74ced9c98af0f555bc45ef0392 16444 libcommons-compress-java_1.18-1_amd64.buildinfo
Checksums-Sha256:
1db8cba1436736d2d6b8ce36d46090169fe5343916072cb1483187778fac2210 2523 libcommons-compress-java_1.18-1.dsc
41dff7f5877a3d4d6a9848db3cac1cc7b527cddd1ed50ae258e6ee2b6090a157 9039040 libcommons-compress-java_1.18.orig.tar.xz
d5933da5f42a8e1dde1e70b9ca79c4c6a03fef247736219cd37b11e3881c2aea 5828 libcommons-compress-java_1.18-1.debian.tar.xz
4c19ed4d523b8e2bfa54b8913c11aa073bafcfadbba5665a6ed6da12030538f3 16444 libcommons-compress-java_1.18-1_amd64.buildinfo
Files:
1e0563e1c5d4271d7b1103c9d4ca88fd 2523 java optional libcommons-compress-java_1.18-1.dsc
7db6a265d3578d3d9b509e8dd0088ae2 9039040 java optional libcommons-compress-java_1.18.orig.tar.xz
a3701eb55777f8cbe38221c8cc380808 5828 java optional libcommons-compress-java_1.18-1.debian.tar.xz
eda4919db2469212afadc5f021f1a32f 16444 java optional libcommons-compress-java_1.18-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlt9v19fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkBZgP/j5T+jZtJHnAXDjPWnbZiZCWjVsTW4w8A+Gb
aGLo2WcNykcZU5+4kIS38tS8mvEigMpN2gP7W6z29Z75+zIHJdCB0Q8vbfgcdEkS
038Z6QTU4nxvS8DcJl7CozmyNZu/suAzFy4xlu1EtdeB0k/G4djJyOrSJYMUkdhV
iY/5WGKFifMf2H/pYcLJ5qM4nq+U2DIcp3+DR+uVPcPhFMJEPFQsRGUm3H5A4ZcP
YSLidQwLn6KrPbMpfuFOPFXFbDYoJssHMO8rxrKJ1u6XDwezcQeki4JPedIpKHRL
cimxS2jRBijD7zojg+RG7v2utxiujymBDb6O+O6Q7b1RLjNVU35etMZoJBABB6Jx
ej7ngTSlNnLQbb8Y1PjHCpuMYroQLBdvNEuaXl9772Jr47mlRf4qI1fzkaH889cB
gL2zyq/MFbldDQ3anGNqUOK/JDJR5QE78UN78ZGICLAYHbpBz3vQKrglG2/WXR9k
NDN/tXYvIEqB5mMndPrCYw2SDk1373LvnVoxSNpb/eFIg4kojmbshJLWwz8iA9NK
ilpIVb0LJ3DGI0gFHVlkejgEeIuwRMDx9d6bSq8tBuQ4CueTa3nPE2Y+ewIfL/ay
keqEmXQ0DeRXsrREa4lttzgzSME7ubx/R1QRdvYyNfCYcJKmS0e49b/6bsM/UgTv
h4KUBMjY
=rp99
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 25 Sep 2018 07:25:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:42:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon