Thank you, that clears things up a lot! Best Regards Magnus Reftel
On 2024/02/19 15:57:49 Gary Gregory wrote: > Hi Magnus and all, > > This was discovered through fuzz testing, basically if some bits in > some parts of a file follow some pattern, then the infinite loop kicks > in. It only happens if your Commons Compress client code decides to > parse a DUMP file. > > The ticket https://issues.apache.org/jira/browse/COMPRESS-632 is an > umbrella ticket that gathers fuzz testing issues, and it was recently > amended with further tests for this specific issue. > > The PR you show for a different issue. > > Security issues are NOT reported or discussed in public until a fix is > made available in a release. > > Please see: > - https://commons.apache.org/proper/commons-compress/security.html > - https://commons.apache.org/security.html > > Gary > > On Mon, Feb 19, 2024 at 3:33 PM Reftel, Magnus > <ma...@skatteetaten.no.inva<mailto:ma...@skatteetaten.no.inva>lid> wrote: > > > > Hi, > > > > Are there any more details on this issue? For instance, under what > > circumstances would an application that uses the commons-compress library > > be vulnerable? The subject line hints that the flaw is specific to the Dump > > format. Is that correct? Are there any options that need to be > > enabled/disabled for the application to vulnerable? > > Also, is it correct that this is related to what was reported in > > https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in > > https://github.com/apache/commons-compress/pull/442 ? > > > > Best Regards > > Magnus Reftel > > > > On 2024/02/19 01:25:47 "Gary D. Gregory" wrote: > > > Severity: important > > > > > > Affected versions: > > > > > > - Apache Commons Compress 1.3 through 1.25.0 > > > > > > Description: > > > > > > Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in > > > Apache Commons Compress.This issue affects Apache Commons Compress: from > > > 1.3 through 1.25.0. > > > > > > Users are recommended to upgrade to version 1.26.0 which fixes the issue. > > > > > > Credit: > > > > > > Yakov Shafranovich, Amazon Web Services (reporter) > > > > > > References: > > > > > > https://commons.apache.org/ > > > https://www.cve.org/CVERecord?id=CVE-2024-25710 > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > > user-unsubscr...@commons.apache.org<mailto:user-unsubscr...@commons.apache.org><ma...@commons.apache.org<mailto:ma...@commons.apache.org>> > > > For additional commands, e-mail: > > > user-h...@commons.apache.org<mailto:user-h...@commons.apache.org><ma...@commons.apache.org<mailto:ma...@commons.apache.org>> > > > > > > > > > > ________________________________ > > Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den > > institusjon eller person den er rettet til og kan vaere belagt med > > lovbestemt taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den > > og kontakt Skatteetaten. > > The contents of this email message and any attachments are intended solely > > for the addressee(s) and may contain confidential information and may be > > legally protected from disclosure. If you are not the intended recipient of > > this message, please immediately delete the message and alert the Norwegian > > Tax Administration. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > user-unsubscr...@commons.apache.org<mailto:user-unsubscr...@commons.apache.org> > For additional commands, e-mail: > user-h...@commons.apache.org<mailto:user-h...@commons.apache.org> > > ________________________________ Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den institusjon eller person den er rettet til og kan være belagt med lovbestemt taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den og kontakt Skatteetaten. The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential information and may be legally protected from disclosure. If you are not the intended recipient of this message, please immediately delete the message and alert the Norwegian Tax Administration.
