Bug 1148475 - (CVE-2019-12402) VUL-1: CVE-2019-12402: apache-commons-compress: infinite loop via specially crafted inputs
(CVE-2019-12402)
VUL-1: CVE-2019-12402: apache-commons-compress: infinite loop via specially c...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/241310/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-28 07:00 UTC by Alexandros Toptsoglou
Modified: 2020-05-12 11:20 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-08-28 07:00:57 UTC
via oss-sec

CVE-2019-12402 Apache Commons Compress denial of service vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.15 to 1.18

Description:
The file name encoding algorithm used internally in Apache Commons
Compress can get into an infinite loop when faced with specially
crafted inputs. This can lead to a denial of service attack if an
attacker can choose the file names inside of an archive created by
Compress.

Mitigation:
Commons Compress users should upgrade to 1.19 or later.

Credit:
This issue was discovered by Masaya Suzuki of Google.

References:
https://commons.apache.org/proper/commons-compress/security-reports.html

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12402
http://seclists.org/oss-sec/2019/q3/171
Comment 1 Pedro Monreal Gonzalez 2019-08-28 10:20:24 UTC
Updated in Factory to 1.19:
   https://build.opensuse.org/request/show/726717

In SLE, I can only find apache-commons-compress.SUSE_SLE-12-SP1_Update_Products_Update with not affected version 1.8.1. Please, let me know if I'm missing some codestream.
Comment 3 Alexandros Toptsoglou 2020-05-12 11:20:02 UTC
Done