src/site/xdoc/security-reports.xml - platform/external/apache-commons-compress - Git at Google

 <?xml version="1.0"?>
 <!--

    Licensed to the Apache Software Foundation (ASF) under one or more
    contributor license agreements.  See the NOTICE file distributed with
    this work for additional information regarding copyright ownership.
    The ASF licenses this file to You under the Apache License, Version 2.0
    (the "License"); you may not use this file except in compliance with
    the License.  You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
 <document>
     <properties>
         <title>Commons Compress Security Reports</title>
         <author email="[email protected]">Commons Documentation Team</author>
     </properties>
     <body>
       <section name="General Information">
         <p>For information about reporting or asking questions about
         security problems, please see the <a
         href="https://commons.apache.org/security.html">security page
         of the Commons project</a>.</p>
       </section>

       <section name="Apache Commons Compress Security Vulnerabilities">
         <p>This page lists all security vulnerabilities fixed in
         released versions of Apache Commons Compress. Each
         vulnerability is given a security impact rating by the
         development team - please note that this rating may vary from
         platform to platform. We also list the versions of Commons
         Compress the flaw is known to affect, and where a flaw has not
         been verified list the version with a question mark.</p>

         <p>Please note that binary patches are never provided. If you
         need to apply a source code patch, use the building
         instructions for the Commons Compress version that you are
         using.</p>

         <p>If you need help on building Commons Compress or other help
         on following the instructions to mitigate the known
         vulnerabilities listed here, please send your questions to the
         public <a href="mail-lists.html">Compress Users mailing
         list</a>.</p>

         <p>If you have encountered an unlisted security vulnerability
         or other unexpected behaviour that has security impact, or if
         the descriptions here are incomplete, please report them
         privately to the Apache Security Team. Thank you.</p>

         <subsection name="Fixed in Apache Commons Compress 1.18">
           <p><b>Low: Denial of Service</b> <a
           href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771">CVE-2018-11771</a></p>

           <p>When reading a specially crafted ZIP archive, the read
           method of <code>ZipArchiveInputStream</code> can fail to
           return the correct EOF indication after the end of the
           stream has been reached. When combined with a
           <code>java.io.InputStreamReader</code> this can lead to an
           infinite stream, which can be used to mount a denial of
           service attack against services that use Compress' zip
           package</p>

           <p>This was fixed in revision <a
           href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java;h=e1995d7aa51dfac6ae933987fb0b7760c607582b;hp=0a2c1aa0063c620c867715119eae2013c87b5e70;hb=a41ce6892cb0590b2e658704434ac0dbcb6834c8;hpb=64ed6dde03afbef6715fdfdeab5fc04be6192899">a41ce68</a>.</p>

           <p>This was first reported to the Security Team on 14 June
           2018 and made public on 16 August 2018.</p>

           <p>Affects: 1.7 - 1.17</p>

         </subsection>

         <subsection name="Fixed in Apache Commons Compress 1.16">
           <p><b>Low: Denial of Service</b> <a
           href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324">CVE-2018-1324</a></p>

           <p>A specially crafted ZIP archive can be used to cause an
           infinite loop inside of Compress' extra field parser used by
           the <code>ZipFile</code> and
           <code>ZipArchiveInputStream</code> classes.  This can be
           used to mount a denial of service attack against services
           that use Compress' zip package.</p>

           <p>This was fixed in revision <a
           href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2">2a2f1dc4</a>.</p>

           <p>This was first reported to the project's JIRA on <a
           href="https://issues.apache.org/jira/browse/COMPRESS-432">19
           December 2017</a>.</p>

           <p>Affects: 1.11 - 1.15</p>

         </subsection>

         <subsection name="Fixed in Apache Commons Compress 1.4.1">
           <p><b>Low: Denial of Service</b> <a
           href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098">CVE-2012-2098</a></p>

           <p>The bzip2 compressing streams in Apache Commons Compress
           internally use sorting algorithms with unacceptable
           worst-case performance on very repetitive inputs.  A
           specially crafted input to Compress'
           <code>BZip2CompressorOutputStream</code> can be used to make
           the process spend a very long time while using up all
           available processing time effectively leading to a denial of
           service.</p>

           <p>This was fixed in revisions
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1332540">1332540</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1332552">1332552</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1333522">1333522</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1337444">1337444</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340715">1340715</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340723">1340723</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340757">1340757</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340786">1340786</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340787">1340787</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340790">1340790</a>,
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340795">1340795</a> and
           <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1340799">1340799</a>.</p>

           <p>This was first reported to the Security Team on 12 April
           2012 and made public on 23 May 2012.</p>

           <p>Affects: 1.0 - 1.4</p>

         </subsection>
       </section>

       <section name="Errors and Ommissions">
         <p>Please report any errors or omissions to <a
         href="mail-lists.html">the dev mailing list</a>.</p>
       </section>
     </body>
 </document>
	<?xml version="1.0"?>
	<!--

	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<document>
	<properties>
	<title>Commons Compress Security Reports</title>
	<author email="[email protected]">Commons Documentation Team</author>
	</properties>
	<body>
	<section name="General Information">
	<p>For information about reporting or asking questions about
	security problems, please see the <a
	href="https://commons.apache.org/security.html">security page
	of the Commons project</a>.</p>
	</section>

	<section name="Apache Commons Compress Security Vulnerabilities">
	<p>This page lists all security vulnerabilities fixed in
	released versions of Apache Commons Compress. Each
	vulnerability is given a security impact rating by the
	development team - please note that this rating may vary from
	platform to platform. We also list the versions of Commons
	Compress the flaw is known to affect, and where a flaw has not
	been verified list the version with a question mark.</p>

	<p>Please note that binary patches are never provided. If you
	need to apply a source code patch, use the building
	instructions for the Commons Compress version that you are
	using.</p>

	<p>If you need help on building Commons Compress or other help
	on following the instructions to mitigate the known
	vulnerabilities listed here, please send your questions to the
	public <a href="mail-lists.html">Compress Users mailing
	list</a>.</p>

	<p>If you have encountered an unlisted security vulnerability
	or other unexpected behaviour that has security impact, or if
	the descriptions here are incomplete, please report them
	privately to the Apache Security Team. Thank you.</p>

	<subsection name="Fixed in Apache Commons Compress 1.18">
	<p><b>Low: Denial of Service</b> <a
	href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771">CVE-2018-11771</a></p>

	<p>When reading a specially crafted ZIP archive, the read
	method of <code>ZipArchiveInputStream</code> can fail to
	return the correct EOF indication after the end of the
	stream has been reached. When combined with a
	<code>java.io.InputStreamReader</code> this can lead to an
	infinite stream, which can be used to mount a denial of
	service attack against services that use Compress' zip
	package</p>

	<p>This was fixed in revision <a
	href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java;h=e1995d7aa51dfac6ae933987fb0b7760c607582b;hp=0a2c1aa0063c620c867715119eae2013c87b5e70;hb=a41ce6892cb0590b2e658704434ac0dbcb6834c8;hpb=64ed6dde03afbef6715fdfdeab5fc04be6192899">a41ce68</a>.</p>

	<p>This was first reported to the Security Team on 14 June
	2018 and made public on 16 August 2018.</p>

	<p>Affects: 1.7 - 1.17</p>

	</subsection>

	<subsection name="Fixed in Apache Commons Compress 1.16">
	<p><b>Low: Denial of Service</b> <a
	href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324">CVE-2018-1324</a></p>

	<p>A specially crafted ZIP archive can be used to cause an
	infinite loop inside of Compress' extra field parser used by
	the <code>ZipFile</code> and
	<code>ZipArchiveInputStream</code> classes. This can be
	used to mount a denial of service attack against services
	that use Compress' zip package.</p>

	<p>This was fixed in revision <a
	href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2">2a2f1dc4</a>.</p>

	<p>This was first reported to the project's JIRA on <a
	href="https://issues.apache.org/jira/browse/COMPRESS-432">19
	December 2017</a>.</p>

	<p>Affects: 1.11 - 1.15</p>

	</subsection>

	<subsection name="Fixed in Apache Commons Compress 1.4.1">
	<p><b>Low: Denial of Service</b> <a
	href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098">CVE-2012-2098</a></p>

	<p>The bzip2 compressing streams in Apache Commons Compress
	internally use sorting algorithms with unacceptable
	worst-case performance on very repetitive inputs. A
	specially crafted input to Compress'
	<code>BZip2CompressorOutputStream</code> can be used to make
	the process spend a very long time while using up all
	available processing time effectively leading to a denial of
	service.</p>

	<p>This was fixed in revisions
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1332540">1332540</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1332552">1332552</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1333522">1333522</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1337444">1337444</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340715">1340715</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340723">1340723</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340757">1340757</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340786">1340786</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340787">1340787</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340790">1340790</a>,
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340795">1340795</a> and
	<a href="https://svn.apache.org/viewvc?view=revision&revision=1340799">1340799</a>.</p>

	<p>This was first reported to the Security Team on 12 April
	2012 and made public on 23 May 2012.</p>

	<p>Affects: 1.0 - 1.4</p>

	</subsection>
	</section>

	<section name="Errors and Ommissions">
	<p>Please report any errors or omissions to <a
	href="mail-lists.html">the dev mailing list</a>.</p>
	</section>
	</body>
	</document>