CVE-2021-35516

NameCVE-2021-35516
DescriptionWhen reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs991041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-compress-java (PTS)stretch1.13-1vulnerable
buster1.18-2+deb10u1vulnerable
bullseye, sid1.20-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcommons-compress-javasource(unstable)(unfixed)991041

Notes

[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
[buster] - libcommons-compress-java <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2021/07/13/2

Search for package or bug name: Reporting problems