| Name | CVE-2021-36090 |
| Description | When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 991041 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libcommons-compress-java (PTS) | bullseye | 1.20-1 | vulnerable |
| bookworm | 1.22-1 | fixed | |
| forky, sid, trixie | 1.27.1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libcommons-compress-java | source | (unstable) | 1.21-1 | 991041 |
[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
[buster] - libcommons-compress-java <no-dsa> (Minor issue)
[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2021/07/13/4
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ef5d70b625000e38404194aaab311b771c44efda
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f