DescriptionWhen reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs991041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-compress-java (PTS)bullseye1.20-1vulnerable
sid, trixie1.25.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
[buster] - libcommons-compress-java <no-dsa> (Minor issue)
[stretch] - libcommons-compress-java <no-dsa> (Minor issue);a=commit;h=d0af873e77d16f41edfef7b69da5c8c35c96a650;a=commit;h=7ce1b0796d6cbe1f41b969583bd49f33ae0efef0;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f

Search for package or bug name: Reporting problems