Bug#1052065: libcommons-compress-java: CVE-2023-42503
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 16 21:48:16 BST 2023
Source: libcommons-compress-java
Version: 1.22-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libcommons-compress-java.
CVE-2023-42503[0]:
| Improper Input Validation, Uncontrolled Resource Consumption
| vulnerability in Apache Commons Compress in TAR parsing.This issue
| affects Apache Commons Compress: from 1.22 before 1.24.0. Users are
| recommended to upgrade to version 1.24.0, which fixes the issue. A
| third party can create a malformed TAR file by manipulating file
| modification times headers, which when parsed with Apache Commons
| Compress, will cause a denial of service issue via CPU consumption.
| In version 1.22 of Apache Commons Compress, support was added for
| file modification times with higher precision (issue # COMPRESS-612
| [1]). The format for the PAX extended headers carrying this data
| consists of two numbers separated by a period [2], indicating
| seconds and subsecond precision (for example “1647221103.5998539”).
| The impacted fields are “atime”, “ctime”, “mtime” and
| “LIBARCHIVE.creationtime”. No input validation is performed prior to
| the parsing of header values. Parsing of these numbers uses the
| BigDecimal [3] class from the JDK which has a publicly known
| algorithmic complexity issue when doing operations on large numbers,
| causing denial of service (see issue # JDK-6560193 [4]). A third
| party can manipulate file time headers in a TAR file by placing a
| number with a very long fraction (300,000 digits) or a number with
| exponent notation (such as “9e9999999”) within a file modification
| time header, and the parsing of files with these headers will take
| hours instead of seconds, leading to a denial of service via
| exhaustion of CPU resources. This issue is similar to CVE-2012-2098
| [5]. [1]: https://issues.apache.org/jira/browse/COMPRESS-612 [2]:
| https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#
| tag_20_92_13_05 [3]:
| https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html
| [4]: https://bugs.openjdk.org/browse/JDK-6560193 [5]:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 Only
| applications using CompressorStreamFactory class (with auto-
| detection of file types), TarArchiveInputStream and TarFile classes
| to parse TAR files are impacted. Since this code was introduced in
| v1.22, only that version and later versions are impacted.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-42503
https://www.cve.org/CVERecord?id=CVE-2023-42503
[1] https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list