Source: libcommons-compress-java Version: 1.22-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libcommons-compress-java. CVE-2023-42503[0]: | Improper Input Validation, Uncontrolled Resource Consumption | vulnerability in Apache Commons Compress in TAR parsing.This issue | affects Apache Commons Compress: from 1.22 before 1.24.0. Users are | recommended to upgrade to version 1.24.0, which fixes the issue. A | third party can create a malformed TAR file by manipulating file | modification times headers, which when parsed with Apache Commons | Compress, will cause a denial of service issue via CPU consumption. | In version 1.22 of Apache Commons Compress, support was added for | file modification times with higher precision (issue # COMPRESS-612 | [1]). The format for the PAX extended headers carrying this data | consists of two numbers separated by a period [2], indicating | seconds and subsecond precision (for example “1647221103.5998539”). | The impacted fields are “atime”, “ctime”, “mtime” and | “LIBARCHIVE.creationtime”. No input validation is performed prior to | the parsing of header values. Parsing of these numbers uses the | BigDecimal [3] class from the JDK which has a publicly known | algorithmic complexity issue when doing operations on large numbers, | causing denial of service (see issue # JDK-6560193 [4]). A third | party can manipulate file time headers in a TAR file by placing a | number with a very long fraction (300,000 digits) or a number with | exponent notation (such as “9e9999999”) within a file modification | time header, and the parsing of files with these headers will take | hours instead of seconds, leading to a denial of service via | exhaustion of CPU resources. This issue is similar to CVE-2012-2098 | [5]. [1]: https://issues.apache.org/jira/browse/COMPRESS-612 [2]: | https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html# | tag_20_92_13_05 [3]: | https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html | [4]: https://bugs.openjdk.org/browse/JDK-6560193 [5]: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 Only | applications using CompressorStreamFactory class (with auto- | detection of file types), TarArchiveInputStream and TarFile classes | to parse TAR files are impacted. Since this code was introduced in | v1.22, only that version and later versions are impacted. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-42503 https://www.cve.org/CVERecord?id=CVE-2023-42503 [1] https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.