You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2019/08/27 19:14:09 UTC

[commons-compress] branch master updated: record CVE-2019-12402

This is an automated email from the ASF dual-hosted git repository.

bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git


The following commit(s) were added to refs/heads/master by this push:
     new a98d68e  record CVE-2019-12402
a98d68e is described below

commit a98d68e2b5c7b018db5153eb37ba38297027c852
Author: Stefan Bodewig <bo...@apache.org>
AuthorDate: Tue Aug 27 21:13:56 2019 +0200

    record CVE-2019-12402
---
 src/changes/changes.xml            |  4 ++++
 src/site/xdoc/security-reports.xml | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 0d1e524..a53f087 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -166,6 +166,10 @@ when they are read via ZipArchiveInputStream or ZipFile.
         added that sets SevenZArchiveEntry's name to the default name
         if it is not contained inside the archive.
       </action>
+      <action type="fix" date="2019-08-20">
+        NioZipEncoding#encode could enter an infinite loop for certain
+        inputs.
+      </action>
     </release>
     <release version="1.18" date="2018-08-16"
              description="Release 1.18">
diff --git a/src/site/xdoc/security-reports.xml b/src/site/xdoc/security-reports.xml
index 9edb443..9d37109 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -54,6 +54,26 @@
         the descriptions here are incomplete, please report them
         privately to the Apache Security Team. Thank you.</p>
 
+        <subsection name="Fixed in Apache Commons Compress 1.19">
+          <p><b>Low: Denial of Service</b> <a
+          href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402">CVE-2019-12402</a></p>
+
+          <p>The file name encoding algorithm used internally in Apache Commons
+          Compress can get into an infinite loop when faced with specially
+          crafted inputs. This can lead to a denial of service attack if an
+          attacker can choose the file names inside of an archive created by
+          Compress.</p>
+
+          <p>This was fixed in revision <a
+          href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581">4ad5d80a</a>.</p>
+
+          <p>This was first reported to the Commons Security Team on 22 August
+          2019 and made public on 27 August 2019.</p>
+
+          <p>Affects: 1.15 - 1.18</p>
+
+        </subsection>
+
         <subsection name="Fixed in Apache Commons Compress 1.18">
           <p><b>Low: Denial of Service</b> <a
           href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771">CVE-2018-11771</a></p>