Apache Commons Compress and Apache Ant Denial of Service Vulnerabilities

Release date:
Updated on:

Affected Systems:
Apache Group Commons Compress 1.4
Apache Group Commons Compress 1.0
Apache Group Ant 1.8.3
Apache Group Ant 1.6.2
Apache Group Ant 1.5
Unaffected system:
Apache Group Commons Compress 1.4.1
Apache Group Ant 1.8.4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53676
Cve id: CVE-2012-2098

The Apache Commons Compress library defines an API that can process ar, cpio, Unix dump, tar, zip, gzip, XZ, Pack200, and bzip2 files. Apache Ant is a tool that automates software compilation, testing, deployment, and other steps. It is mostly used for software development in the Java environment.

Apache Commons Compress versions earlier than 1.4.1 have a security vulnerability when using bzip2 to Compress files. You can use this vulnerability to consume system resources by sending specially crafted files of the BZip2CompressorOutputStream class, resulting in DOS.

<* Source: David Jorm

Link: http://secunia.com/advisories/49286/
Http://commons.apache.org/compress/security.html

*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Apache Group
------------
For this reason, Apache Group has released a Security Bulletin (Fixed in Apache Commons Compress 1.4.1) and corresponding patches:

Fixed in Apache Commons Compress 1.4.1: Reporting New Security Problems with Apache Commons Compress

Link: http://commons.apache.org/compress/security.html