This is an automated email from the ASF dual-hosted git repository.
dongjoon pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/orc.git
The following commit(s) were added to refs/heads/asf-site by this push:
new cd490fb17 Add CVE-2025-47436 to security page
cd490fb17 is described below
commit cd490fb17d0bde051472c2df4ab918e81029bb66
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Tue May 13 07:44:42 2025 -0700
Add CVE-2025-47436 to security page
---
security/{ => CVE-2025-47436}/index.html | 66 +++++++++++++++-----------------
security/index.html | 1 +
2 files changed, 32 insertions(+), 35 deletions(-)
diff --git a/security/index.html b/security/CVE-2025-47436/index.html
similarity index 69%
copy from security/index.html
copy to security/CVE-2025-47436/index.html
index 0cff6b64c..ecce948d9 100644
--- a/security/index.html
+++ b/security/CVE-2025-47436/index.html
@@ -2,7 +2,7 @@
<html lang="en-US">
<head>
<meta charset="UTF-8">
- <title>Security</title>
+ <title>CVE-2025-47436</title>
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Jekyll v4.3.4">
<link rel="stylesheet"
href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic,900">
@@ -112,55 +112,51 @@
<div class="unit whole">
<article>
- <h1>Security</h1>
- <p>Apache ORC is a library rather than an execution framework and thus
-is less likely to have security vulnerabilities. However, if you have
-discovered one, please follow the process below.</p>
+ <h1>CVE-2025-47436</h1>
+ <h1
id="potential-heap-buffer-overflow-during-c-lzo-decompression">Potential Heap
Buffer Overflow during C++ LZO Decompression</h1>
-<h2 id="reporting-a-vulnerability">Reporting a Vulnerability</h2>
+<h2 id="date">Date:</h2>
+<p>2025-05-13</p>
-<p>We strongly encourage folks to report security vulnerabilities to our
-private security mailing list first, before disclosing them in a
-public forum.</p>
+<h2 id="severity">Severity:</h2>
-<p>Please note that the security mailing list should only be used for
-reporting undisclosed security vulnerabilities in Apache ORC and
-managing the process of fixing such vulnerabilities. We cannot accept
-regular bug reports or other security related queries at this
-address. All mail sent to this address that does not relate to an
-undisclosed security problem in Apache ORC will be ignored.</p>
+<p>Medium</p>
-<p>The ORC security mailing list address is:
-<a href="mailto:[email protected]";>[email protected]</a>.
-This is a private mailing list and only members of the ORC project
-are subscribed.</p>
+<h2 id="vendor">Vendor:</h2>
-<p>Please note that we do not use a team GnuPG key. If you wish to
-encrypt your e-mail to [email protected] then please use the GnuPG
-keys from <a href="https://dist.apache.org/repos/dist/release/orc/KEYS";>ORC
GPG keys</a> for
-the members of the
-<a href="https://people.apache.org/phonebook.html?ctte=orc";>ORC PMC</a>.</p>
+<p><a href="https://apache.org";>The Apache Software Foundation</a></p>
-<h2 id="vulnerability-handling">Vulnerability Handling</h2>
-
-<p>An overview of the vulnerability handling process is:</p>
+<h2 id="versions-affected">Versions Affected:</h2>
<ul>
- <li>The reporter sends email to the project privately.</li>
- <li>The project works privately with the reporter to resolve the
vulnerability.</li>
- <li>The project releases a new version that includes the fix.</li>
- <li>The vulnerability is publicly announced via a <a
href="https://cve.mitre.org/";>CVE</a> to the mailing lists and the original
reporter.</li>
+ <li>Apache ORC through 1.8.8</li>
+ <li>Apache ORC 1.9.0 through 1.9.5</li>
+ <li>Apache ORC 2.0.0 through 2.0.4</li>
+ <li>Apache ORC 2.1.0 through 2.1.1</li>
</ul>
-<p>The full process can be found on the
-<a
href="https://www.apache.org/security/committers.html#vulnerability-handling";>Apache
Security Process</a> page.</p>
+<h2 id="description">Description:</h2>
+
+<p>A vulnerability has been identified in the ORC C++ LZO decompression logic,
+where specially crafted malformed ORC files can cause the decompressor
+to allocate a 250-byte buffer but then attempts to copy 295 bytes into it.
+It causes memory corruption.</p>
+
+<p>This issue is being tracked as ORC-1879</p>
-<h2 id="fixed-cves">Fixed CVEs</h2>
+<h2 id="mitigation">Mitigation:</h2>
<ul>
- <li><a href="CVE-2018-8015">CVE-2018-8015</a> - ORC files with malformed
types cause stack overflow.</li>
+ <li>Upgrade to 1.8.9, 1.9.6, 2.0.5, and 2.1.2</li>
</ul>
+<h2 id="credit">Credit:</h2>
+
+<p>This issue was discovered by Jason Villaluna.</p>
+
+<h2 id="references">References:</h2>
+<p><a href="/security">Apache ORC security</a></p>
+
</article>
</div>
diff --git a/security/index.html b/security/index.html
index 0cff6b64c..0a7325074 100644
--- a/security/index.html
+++ b/security/index.html
@@ -159,6 +159,7 @@ the members of the
<ul>
<li><a href="CVE-2018-8015">CVE-2018-8015</a> - ORC files with malformed
types cause stack overflow.</li>
+ <li><a href="CVE-2025-47436">CVE-2025-47436</a> - Potential Heap Buffer
Overflow during C++ LZO Decompression</li>
</ul>
</article>
