https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Bug ID: 1764640 Summary: CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: dblechte@redhat.com, decathorpe@gmail.com, dfediuck@redhat.com, eedri@redhat.com, hhorak@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jjelen@redhat.com, jorton@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mizdebsk@redhat.com, mkoncek@redhat.com, sbonazzo@redhat.com, sherold@redhat.com, SpikeFedora@gmail.com, stewardship-sig@lists.fedoraproject.org, yturgema@redhat.com Target Milestone: --- Classification: Other
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
References:
https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de8... https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc147... https://bugzilla.redhat.com/show_bug.cgi?id=1761797
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1764641
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created apache-commons-compress tracking bugs for this issue:
Affects: fedora-all [bug 1764641]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1764641 [Bug 1764641] CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1764643
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1761797
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1761797 [Bug 1761797] CVE-2019-12402 apache-commons-compress: denial of service vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1764640 Bug 1764640 depends on bug 1764641, which changed state.
Bug 1764641 Summary: CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1764641
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |DUPLICATE
https://bugzilla.redhat.com/show_bug.cgi?id=1764640 Bug 1764640 depends on bug 1761797, which changed state.
Bug 1761797 Summary: CVE-2019-12402 apache-commons-compress: denial of service vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=1761797
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|low |medium Severity|low |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #2 from Mauro Matteo Cascella mcascell@redhat.com --- Upstream fix: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4a...
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #3 from Mauro Matteo Cascella mcascell@redhat.com --- The flaw lies in the encode() method of NioZipEncoding class, which leverages java.nio to encode names. Specifically, the file name is encoded repeatedly, until there are no remaining characters in the input buffer. The encoder consumes characters from the input buffer, translates them, and writes the resulting bytes to an output buffer. During this process the exit condition UNDERFLOW (meaning that either the input buffer has been completely consumed or there is insufficient input) is not taken into account, leading to a possible infinite loop.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Doc Text *updated* by Mauro Matteo Cascella mcascell@redhat.com --- A resource consumption vulnerability was discovered in apache-commons-compress. This flaw can be exploited when a specially crafted filename is used inside of an archive created by Compress. A remote attacker could exploit this flaw to influence a loop with an exit condition that can never be reached, thus leading to a denial of service.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #9 from Mauro Matteo Cascella mcascell@redhat.com --- Class ZipArchiveOutputStream creates an output stream for writing files in the ZIP file format. The flaw is triggered when calling the putArchiveEntry() method with a carefully crafted ArchiveEntry, whose name is then encoded by the aforementioned encoding algorithm used internally in Apache Commons Compress.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #10 from Mauro Matteo Cascella mcascell@redhat.com --- Statement:
This issue did not affect the version of OpenCV as shipped with Red Hat Enterprise Linux 7 as it did not use NIO based zip encoding (java.nio). A fallback implementation which leverages java.io to encode names was being used instead as default zip encoding mechanism.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #11 from Mauro Matteo Cascella mcascell@redhat.com --- Statement:
This issue did not affect the version of apache-commons-compress as shipped with Red Hat Enterprise Linux 7 as it did not use NIO based zip encoding (java.nio). A fallback implementation which leverages java.io to encode names was being used instead as default zip encoding mechanism.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #12 from Mauro Matteo Cascella mcascell@redhat.com --- Mitigation:
There is no mitigation for this issue, the flaw can only be resolved by applying updates.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #13 from Mauro Matteo Cascella mcascell@redhat.com --- The fallback zip encoding implementation leveraging java.io has been superseded in favor of NIO based encoding (java.nio) in Compress release 1.15. The UNDERFLOW exit condition has been removed from the loop in the same release 1.15.
https://github.com/apache/commons-compress/blob/rel/1.15/RELEASE-NOTES.txt#L... https://issues.apache.org/jira/browse/COMPRESS-410 https://github.com/apache/commons-compress/commit/cec72ce690353c90f3867191d7... https://github.com/apache/commons-compress/commit/a67bdc013c9fd965abaca375b9...
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #14 from Mauro Matteo Cascella mcascell@redhat.com --- Statement:
This issue did not affect the version of apache-commons-compress as shipped with Red Hat Enterprise Linux 7, and the versions of rh-java-common-apache-commons-compress and rh-maven35-apache-commons-compress as shipped with Red Hat Software Collections 3. Those versions did not use NIO based zip encoding (java.nio) to encode file names. Instead, a fallback implementation which leverages java.io was being used as default zip encoding mechanism. This issue did not affect the versions of rh-maven36-apache-commons-compress as shipped with Red Hat Software Collection 3 as they already include the patch.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Mauro Matteo Cascella mcascell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Doc Text *updated* by Mauro Matteo Cascella mcascell@redhat.com --- A resource consumption vulnerability was discovered in apache-commons-compress in the way NioZipEncoding encodes filenames. Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to this flaw. A remote attacker could exploit this flaw to cause an infinite loop during the archive creation, thus leading to a denial of service.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #16 from Mauro Matteo Cascella mcascell@redhat.com --- Statement:
This issue did not affect the versions of apache-commons-compress as shipped with Red Hat Enterprise Linux 7, and the versions of rh-java-common-apache-commons-compress and rh-maven35-apache-commons-compress as shipped with Red Hat Software Collections 3, as they used a fallback zip encoding implementation (leveraging java.io) to encode filenames. This issue did not affect the versions of rh-maven36-apache-commons-compress as shipped with Red Hat Software Collection 3 as they already include the patch.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Mauro Matteo Cascella mcascell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1783977
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #19 from Eric Christensen sparks@redhat.com --- Statement:
This issue does not affect the versions of apache-commons-compress as shipped with Red Hat Enterprise Linux 7, and the versions of rh-java-common-apache-commons-compress and rh-maven35-apache-commons-compress as shipped with Red Hat Software Collections 3, as they used a fallback zip encoding implementation (leveraging java.io) to encode filenames. This issue does not affect the versions of rh-maven36-apache-commons-compress as shipped with Red Hat Software Collection 3 as they already include the patch.
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #20 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Fuse 7 as having a moderate impact, the use of Apache Commons Compress as part of Fuse Online is in the Project Generation phase and is not something made available as part of a service to the network (AV:N -> AV:L), the naming of the files is also controlled by the local user/developer, an attacker would need to invest a measurable amount of effort to alter the target environment to exploit the vulnerability (AC:L -> AC:H)
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-08-11 19:28:10
--- Comment #26 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-12402
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pdrozd@redhat.com, | |sthorger@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764640
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com |
java-sig-commits@lists.fedoraproject.org