https://bugzilla.redhat.com/show_bug.cgi?id=1981903
Bug ID: 1981903
Summary: CVE-2021-35517 apache-commons-compress: excessive
memory allocation when reading a specially crafted TAR
archive
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: dblechte(a)redhat.com, dfediuck(a)redhat.com,
eedri(a)redhat.com, hhorak(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
mkoncek(a)redhat.com, sbonazzo(a)redhat.com,
sherold(a)redhat.com, SpikeFedora(a)gmail.com,
yturgema(a)redhat.com
Target Milestone: ---
Classification: Other
When reading a specially crafted TAR archive, Compress can be made to allocate
large amounts of memory that finally leads to an out of memory error even for
very small inputs. This could be used to mount a denial of service attack
against services that use Compress' tar package.
References:
https://commons.apache.org/proper/commons-compress/security-reports.html
https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f66...
http://www.openwall.com/lists/oss-security/2021/07/13/3
--
You are receiving this mail because:
You are on the CC list for the bug.