CVE-2019-12402

NameCVE-2019-12402
DescriptionThe file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs939610

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-compress-java (PTS)bullseye1.20-1fixed
bookworm1.22-1fixed
sid, trixie1.27.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcommons-compress-javasourcejessie(not affected)
libcommons-compress-javasourcestretch(not affected)
libcommons-compress-javasourcebuster1.18-2+deb10u1
libcommons-compress-javasource(unstable)1.18-3low939610

Notes

[stretch] - libcommons-compress-java <not-affected> (Vulnerable code introduced later)
[jessie] - libcommons-compress-java <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2019/08/27/1
Fixed in upstream commit: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581
Search for package or bug name: Reporting problems