Bug 25365 - apache-commons-compress new security issue CVE-2019-12402
Summary: apache-commons-compress new security issue CVE-2019-12402
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-28 12:04 CEST by David Walser
Modified: 2020-01-05 16:39 CET (History)
6 users (show)

See Also:
Source RPM: apache-commons-compress-1.18-2.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 1.19

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-08-28 12:04:11 CEST 
Apache has issued an advisory on August 27:
https://www.openwall.com/lists/oss-security/2019/08/27/1

The issue is fixed upstream in 1.19.

Mageia 7 is also affected.
David Walser 2019-08-28 12:04:22 CEST

Status comment: (none) => Fixed upstream in 1.19
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2019-12-26 04:42:38 CET 
Fedora has issued an advisory for this on October 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/

Severity: normal => critical

Comment 2 David GEIGER 2019-12-29 07:33:49 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-12-29 17:52:27 CET 
Advisory:
========================

Updated apache-commons-compress packages fix security vulnerability:

A resource consumption vulnerability was discovered in apache-commons-compress
in the way NioZipEncoding encodes filenames. Applications that use Compress to
create archives, with one of the filenames within the archive being controlled
by the user, may be vulnerable to this flaw. A remote attacker could exploit
this flaw to cause an infinite loop during the archive creation, thus leading
to a denial of service (CVE-2019-12402).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
========================

Updated packages in core/updates_testing:
========================
apache-commons-compress-1.19-1.mga7
apache-commons-compress-javadoc-1.19-1.mga7

from apache-commons-compress-1.19-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: java => qa-bugs

Comment 4 Herman Viaene 2020-01-02 15:48:08 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
This laptop didn't have apache yet, so installed 2.2.41, and started it OK.
More tests neeed? I'll agree ona clean install.

CC: (none) => herman.viaene

Comment 5 David Walser 2020-01-02 16:25:36 CET 
Clean upgrade is sufficient.
Herman Viaene 2020-01-02 16:29:50 CET

Whiteboard: (none) => MGA7-64-OK

Comment 6 PC LX 2020-01-02 19:03:36 CET 
Installed and tested without issues.


Tested using the arduino package that depends on apache-commons-compress.


Note that this package has nothing to do with the apache http server.


$ uname -a
Linux marte 5.4.6-desktop-2.mga7 #1 SMP Mon Dec 23 12:05:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q apache-commons-compress
apache-commons-compress-1.19-1.mga7

CC: (none) => mageia

Comment 7 Thomas Andrews 2020-01-03 19:03:57 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 12:21:43 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-01-05 16:39:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0001.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.