libcommons-compress-java: CVE-2023-42503

Debian Bug report logs - #1052065
libcommons-compress-java: CVE-2023-42503

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libcommons-compress-java: CVE-2023-42503

Date: Sat, 16 Sep 2023 22:48:16 +0200

Source: libcommons-compress-java
Version: 1.22-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for libcommons-compress-java.

CVE-2023-42503[0]:
| Improper Input Validation, Uncontrolled Resource Consumption
| vulnerability in Apache Commons Compress in TAR parsing.This issue
| affects Apache Commons Compress: from 1.22 before 1.24.0.  Users are
| recommended to upgrade to version 1.24.0, which fixes the issue.  A
| third party can create a malformed TAR file by manipulating file
| modification times headers, which when parsed with Apache Commons
| Compress, will cause a denial of service issue via CPU consumption.
| In version 1.22 of Apache Commons Compress, support was added for
| file modification times with higher precision (issue # COMPRESS-612
| [1]). The format for the PAX extended headers carrying this data
| consists of two numbers separated by a period [2], indicating
| seconds and subsecond precision (for example “1647221103.5998539”).
| The impacted fields are “atime”, “ctime”, “mtime” and
| “LIBARCHIVE.creationtime”. No input validation is performed prior to
| the parsing of header values.  Parsing of these numbers uses the
| BigDecimal [3] class from the JDK which has a publicly known
| algorithmic complexity issue when doing operations on large numbers,
| causing denial of service (see issue # JDK-6560193 [4]). A third
| party can manipulate file time headers in a TAR file by placing a
| number with a very long fraction (300,000 digits) or a number with
| exponent notation (such as “9e9999999”) within a file modification
| time header, and the parsing of files with these headers will take
| hours instead of seconds, leading to a denial of service via
| exhaustion of CPU resources. This issue is similar to CVE-2012-2098
| [5].  [1]:  https://issues.apache.org/jira/browse/COMPRESS-612  [2]:
| https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#
| tag_20_92_13_05  [3]:
| https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html
| [4]:  https://bugs.openjdk.org/browse/JDK-6560193  [5]:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098   Only
| applications using CompressorStreamFactory class (with auto-
| detection of file types), TarArchiveInputStream and TarFile classes
| to parse TAR files are impacted. Since this code was introduced in
| v1.22, only that version and later versions are impacted.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-42503
    https://www.cve.org/CVERecord?id=CVE-2023-42503
[1] https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c

Regards,
Salvatore

Message #10 received at 1052065-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1052065-close@bugs.debian.org

Subject: Bug#1052065: fixed in libcommons-compress-java 1.24.0-1

Date: Sun, 17 Sep 2023 00:05:00 +0000

Source: libcommons-compress-java
Source-Version: 1.24.0-1
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
libcommons-compress-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1052065@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated libcommons-compress-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 Sep 2023 16:20:30 -0700
Source: libcommons-compress-java
Architecture: source
Version: 1.24.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1052065
Changes:
 libcommons-compress-java (1.24.0-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version 1.24.0
     - CVE-2023-42503 (Closes: #1052065)
   * Refresh patches for new upstream release
   * Freshen years in debian/copyright
Checksums-Sha1:
 30ec80e996f000de03ecfd4f5a880b4445cc9a6d 2405 libcommons-compress-java_1.24.0-1.dsc
 9a996280083847761314a638259ac4474b826eb5 42286684 libcommons-compress-java_1.24.0.orig.tar.xz
 35136ab58a3ea70c6f5ed2e880d5295038b10a51 6484 libcommons-compress-java_1.24.0-1.debian.tar.xz
 154b74b45cdaf2082a58260560112e3550981297 17140 libcommons-compress-java_1.24.0-1_amd64.buildinfo
Checksums-Sha256:
 d3f197158b54888544a0a10e22f508fa2ab400b1c6b791f50921d013af335319 2405 libcommons-compress-java_1.24.0-1.dsc
 cf3870f484c51397c52d78382c97781c53239b6d1dc171c20d2f537aeb5bd4d4 42286684 libcommons-compress-java_1.24.0.orig.tar.xz
 dc1270e0d45ffaa07e7860485ae15ed4d4ee6d1a41b0de945d45ec1e7c5183a5 6484 libcommons-compress-java_1.24.0-1.debian.tar.xz
 61e3aa066a7e65dfdd3099a802107d24e73cc3ac40ffa71958022c45d2c4b866 17140 libcommons-compress-java_1.24.0-1_amd64.buildinfo
Files:
 a98012b67b207b954f09cf4903beb8df 2405 java optional libcommons-compress-java_1.24.0-1.dsc
 cba495696e9e745a8acb79a5fa3f3e71 42286684 java optional libcommons-compress-java_1.24.0.orig.tar.xz
 59d46b6946da1ef1dacb2dbb101163c6 6484 java optional libcommons-compress-java_1.24.0-1.debian.tar.xz
 b868245b8e52ffefc13c4ba1e24ac9d3 17140 java optional libcommons-compress-java_1.24.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmUGOz0UHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpacvw/9FYH8YEUTbcvod19CBzqIyOqJBazc
AVFP6pKyb4GrClqjNRrahhrVcq4vtMdSg3wDx2X0xvtT61pAYAC+oQoIgihqVrsV
Ri+WEi7S+p2qLpi8Wyz8NPeNKoFWap/yibhtmr5eRts/QiifEHRrISPz1iWi3Cbk
CcCTVZnEOn4+wLVOxdinE3xksgryI/BuW3u5Lt7y3Mjfmu8t4b0ILQfppfrks+KA
gmEyaPmKYN2OBNHAIX5L8N89J1oxDNVROPh4aepptwSjmBgq4CxFriBze0rD+NKL
+9Y54KkcWMohI7GgUYbhQtf+8N251r3bLwThfTZM+53x0QgoNvEdZO41Ae0Uzr79
2P7ZksVONKmBZN0OstGDvNb/F6R5PpXDrewDy+/AS+5LvRpK7b1lLF0Y4bzFDuGV
D6Wk75GCFKDKEc7PTJP4r5aiF04FQ6XEk9ZZydIe2546cwmazbcJGqDzpaIrAhhY
f55s+tMRkKK9rPk6bViIJxGQIDa+AWLtZ+HwKMi+M+RknWLkHfo2dUpGmwi1x1Vz
J/7PYW7zaHRu5WEVBpLFCh79iacyfRR90vHZyFiNQlgvUoFPOxNcwgzz/uRIO5pe
Clw1erFw6nHAaIa/xsiue4Tk8Z9D+wDY2JiJHIT2hQdrnRyfPsgCD4cHQ7/1DjG8
AYcf1+LhZk2N3do=
=q0+Q
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.