This is an automated email from the ASF dual-hosted git repository. dongjoon pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/orc.git
commit 0d233fb2b3c2f5afbfc20f9a7f558b33d3f01e06 Author: Dongjoon Hyun <[email protected]> AuthorDate: Tue May 13 07:44:42 2025 -0700 Add CVE-2025-47436 to security page --- security/{ => CVE-2025-47436}/index.html | 66 +++++++++++++++----------------- security/index.html | 1 + 2 files changed, 32 insertions(+), 35 deletions(-) diff --git a/security/index.html b/security/CVE-2025-47436/index.html similarity index 69% copy from security/index.html copy to security/CVE-2025-47436/index.html index 0cff6b64c..3a22b588e 100644 --- a/security/index.html +++ b/security/CVE-2025-47436/index.html @@ -2,7 +2,7 @@ <html lang="en-US"> <head> <meta charset="UTF-8"> - <title>Security</title> + <title>CVE-2025-47436</title> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="generator" content="Jekyll v4.3.4"> <link rel="stylesheet" href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic,900"> @@ -112,55 +112,51 @@ <div class="unit whole"> <article> - <h1>Security</h1> - <p>Apache ORC is a library rather than an execution framework and thus -is less likely to have security vulnerabilities. However, if you have -discovered one, please follow the process below.</p> + <h1>CVE-2025-47436</h1> + <h1 id="potential-heap-buffer-overflow-during-c-lzo-decompression">Potential Heap Buffer Overflow during C++ LZO Decompression</h1> -<h2 id="reporting-a-vulnerability">Reporting a Vulnerability</h2> +<h2 id="date">Date:</h2> +<p>2025-05-13</p> -<p>We strongly encourage folks to report security vulnerabilities to our -private security mailing list first, before disclosing them in a -public forum.</p> +<h2 id="severity">Severity:</h2> -<p>Please note that the security mailing list should only be used for -reporting undisclosed security vulnerabilities in Apache ORC and -managing the process of fixing such vulnerabilities. We cannot accept -regular bug reports or other security related queries at this -address. All mail sent to this address that does not relate to an -undisclosed security problem in Apache ORC will be ignored.</p> +<p>Medium</p> -<p>The ORC security mailing list address is: -<a href="mailto:[email protected]";>[email protected]</a>. -This is a private mailing list and only members of the ORC project -are subscribed.</p> +<h2 id="vendor">Vendor:</h2> -<p>Please note that we do not use a team GnuPG key. If you wish to -encrypt your e-mail to [email protected] then please use the GnuPG -keys from <a href="https://dist.apache.org/repos/dist/release/orc/KEYS";>ORC GPG keys</a> for -the members of the -<a href="https://people.apache.org/phonebook.html?ctte=orc";>ORC PMC</a>.</p> +<p><a href="https://apache.org";>The Apache Software Foundation</a></p> -<h2 id="vulnerability-handling">Vulnerability Handling</h2> - -<p>An overview of the vulnerability handling process is:</p> +<h2 id="versions-affected">Versions Affected:</h2> <ul> - <li>The reporter sends email to the project privately.</li> - <li>The project works privately with the reporter to resolve the vulnerability.</li> - <li>The project releases a new version that includes the fix.</li> - <li>The vulnerability is publicly announced via a <a href="https://cve.mitre.org/";>CVE</a> to the mailing lists and the original reporter.</li> + <li>Apache ORC through 1.8.8</li> + <li>Apache ORC 1.9.0 through 1.9.5</li> + <li>Apache ORC 2.0.0 through 2.0.4</li> + <li>Apache ORC 2.1.0 through 2.1.1</li> </ul> -<p>The full process can be found on the -<a href="https://www.apache.org/security/committers.html#vulnerability-handling";>Apache Security Process</a> page.</p> +<h2 id="description">Description:</h2> + +<p>A vulnerability has been identified in the ORC C++ LZO decompression logic, +where specially crafted malformed ORC files can cause the decompressor +to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. +It causes memory corruption due to insufficient input buffer boundary validation during decompression.</p> + +<p>This issue is being tracked as ORC-1879</p> -<h2 id="fixed-cves">Fixed CVEs</h2> +<h2 id="mitigation">Mitigation:</h2> <ul> - <li><a href="CVE-2018-8015">CVE-2018-8015</a> - ORC files with malformed types cause stack overflow.</li> + <li>Upgrade to 1.8.9, 1.9.6, 2.0.5, and 2.1.2</li> </ul> +<h2 id="credit">Credit:</h2> + +<p>This issue was discovered by Jason Villaluna.</p> + +<h2 id="references">References:</h2> +<p><a href="/security">Apache ORC security</a></p> + </article> </div> diff --git a/security/index.html b/security/index.html index 0cff6b64c..0a7325074 100644 --- a/security/index.html +++ b/security/index.html @@ -159,6 +159,7 @@ the members of the <ul> <li><a href="CVE-2018-8015">CVE-2018-8015</a> - ORC files with malformed types cause stack overflow.</li> + <li><a href="CVE-2025-47436">CVE-2025-47436</a> - Potential Heap Buffer Overflow during C++ LZO Decompression</li> </ul> </article>
