This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch release
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/release by this push:
new 3eee09dd Update site for CVE-2023-42503
3eee09dd is described below
commit 3eee09dd4c9fabc83234353ff7327f2bc4c36e03
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Wed Sep 13 15:49:27 2023 -0400
Update site for CVE-2023-42503
---
src/site/xdoc/security.xml | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index f3efae6a..ad853cbc 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -54,6 +54,36 @@
the descriptions here are incomplete, please report them
privately to the Apache Security Team. Thank you.</p>
+ <subsection name="Fixed in Apache Commons Compress 1.24.0">
+ <p><b>Moderate: Denial of Service</b> <a
+
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42503";>CVE-2023-42503</a></p>
+
+ <p>Improper Input Validation, Uncontrolled Resource Consumption
vulnerability in Apache Commons Compress in TAR parsing.</p>
+ <p>This issue affects Apache Commons Compress: from 1.22 before
1.24.0.</p>
+ <p>Users are recommended to upgrade to version 1.24.0, which fixes
the issue.</p>
+ <p>A third party can create a malformed TAR file by manipulating
file modification times headers,
+ which when parsed with Apache Commons Compress, will cause a
denial of service issue via CPU consumption.</p>
+ <p>In version 1.22 of Apache Commons Compress, support was added for
file modification times with higher precision
+ (issue # COMPRESS-612<sup><a href="#Ref-1-24-1">[1]</a></sup>).
+ The format for the PAX extended headers carrying this data
consists of two numbers separated by a period<sup><a
href="#Ref-1-24-2">[2]</a></sup>,
+ indicating seconds and subsecond precision (for example
“1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and
+ “LIBARCHIVE.creationtime”. No input validation is performed prior
to the parsing of header values.</p>
+ <p>Parsing of these numbers uses the BigDecimal<sup><a
href="#Ref-1-24-3">[3]</a></sup> class from the JDK which has a publicly known
algorithmic complexity issue when doing
+ operations on large numbers, causing denial of service (see issue
# JDK-6560193<sup><a href="#Ref-1-24-4">[4]</a></sup>). A third party can
manipulate file time headers
+ in a TAR file by placing a number with a very long fraction
(300,000 digits) or a number with exponent notation (such as “9e9999999”)
+ within a file modification time header, and the parsing of files
with these headers will take hours instead of seconds, leading to a
+ denial of service via exhaustion of CPU resources. This issue is
similar to CVE-2012-2098<sup><a href="#Ref-1-24-5">[5]</a></sup>.</p>
+ <ul>
+ <li id="Ref-1-24-1">[1]: <a
href="https://issues.apache.org/jira/browse/COMPRESS-612";>COMPRESS-612</a></li>
+ <li id="Ref-1-24-2">[2]: <a
href="https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05";>PAX
extended headers</a></li>
+ <li id="Ref-1-24-3">[3]: <a
href="https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html";>BigDecimal</a></li>
+ <li id="Ref-1-24-4">[4]: <a
href="https://bugs.openjdk.org/browse/JDK-6560193";>JDK-6560193</a></li>
+ <li id="Ref-1-24-5">[5]: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098";>CVE-2012-2098</a></li>
+ </ul>
+ <p>Only applications using CompressorStreamFactory class (with
auto-detection of file types), TarArchiveInputStream and TarFile
+ classes to parse TAR files are impacted. Since this code was
introduced in v1.22, only that version and later versions are impacted.</p>
+ </subsection>
+
<subsection name="Fixed in Apache Commons Compress 1.21">
<p><b>Low: Denial of Service</b> <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515";>CVE-2021-35515</a></p>
