CVE-2021-36090

NameCVE-2021-36090
DescriptionWhen reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs991041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-compress-java (PTS)buster1.18-2+deb10u1vulnerable
bullseye1.20-1vulnerable
bookworm1.22-1fixed
sid, trixie1.25.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcommons-compress-javasource(unstable)1.21-1991041

Notes

[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
[buster] - libcommons-compress-java <no-dsa> (Minor issue)
[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2021/07/13/4
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ef5d70b625000e38404194aaab311b771c44efda
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f

Search for package or bug name: Reporting problems