Bug 25365

Summary: apache-commons-compress new security issue CVE-2019-12402
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: apache-commons-compress-1.18-2.mga8.src.rpm CVE:
Status comment: Fixed upstream in 1.19

Description David Walser 2019-08-28 12:04:11 CEST 
Apache has issued an advisory on August 27:
https://www.openwall.com/lists/oss-security/2019/08/27/1

The issue is fixed upstream in 1.19.

Mageia 7 is also affected.
David Walser 2019-08-28 12:04:22 CEST

Status comment: (none) => Fixed upstream in 1.19
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2019-12-26 04:42:38 CET 
Fedora has issued an advisory for this on October 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/

Severity: normal => critical

Comment 2 David GEIGER 2019-12-29 07:33:49 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-12-29 17:52:27 CET 
Advisory:
========================

Updated apache-commons-compress packages fix security vulnerability:

A resource consumption vulnerability was discovered in apache-commons-compress
in the way NioZipEncoding encodes filenames. Applications that use Compress to
create archives, with one of the filenames within the archive being controlled
by the user, may be vulnerable to this flaw. A remote attacker could exploit
this flaw to cause an infinite loop during the archive creation, thus leading
to a denial of service (CVE-2019-12402).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
========================

Updated packages in core/updates_testing:
========================
apache-commons-compress-1.19-1.mga7
apache-commons-compress-javadoc-1.19-1.mga7

from apache-commons-compress-1.19-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: java => qa-bugs

Comment 4 Herman Viaene 2020-01-02 15:48:08 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
This laptop didn't have apache yet, so installed 2.2.41, and started it OK.
More tests neeed? I'll agree ona clean install.

CC: (none) => herman.viaene

Comment 5 David Walser 2020-01-02 16:25:36 CET 
Clean upgrade is sufficient.
Herman Viaene 2020-01-02 16:29:50 CET

Whiteboard: (none) => MGA7-64-OK

Comment 6 PC LX 2020-01-02 19:03:36 CET 
Installed and tested without issues.


Tested using the arduino package that depends on apache-commons-compress.


Note that this package has nothing to do with the apache http server.


$ uname -a
Linux marte 5.4.6-desktop-2.mga7 #1 SMP Mon Dec 23 12:05:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q apache-commons-compress
apache-commons-compress-1.19-1.mga7

CC: (none) => mageia

Comment 7 Thomas Andrews 2020-01-03 19:03:57 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 12:21:43 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-01-05 16:39:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0001.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED