CVE-2019-12402

NameCVE-2019-12402
DescriptionThe file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs939610

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-compress-java (PTS)jessie1.9-1fixed
stretch1.13-1fixed
buster1.18-2vulnerable
bullseye, sid1.18-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcommons-compress-javasource(unstable)1.18-3low939610
libcommons-compress-javasourcejessie(not affected)
libcommons-compress-javasourcestretch(not affected)

Notes

[buster] - libcommons-compress-java <no-dsa> (Minor issue)
[stretch] - libcommons-compress-java <not-affected> (Vulnerable code introduced later)
[jessie] - libcommons-compress-java <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2019/08/27/1
Fixed in upstream commit: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581

Search for package or bug name: Reporting problems