On 2021-05-24, Tero Saarni wrote: > We are getting reports from JFrog Xray vulnerability scanner that seem > to be related to recently fixed OSS-Fuzz issues:
I wasn't aware of this effect. This is very unfortunate. > * Summary: Apache Commons Compress archivers/zip/ZipFile.java > ZipFile::readCentralDirectoryEntry() Function Uncaught Exception DoS > Severity: High > * Summary: Apache Commons Compress archivers/tar/TarArchiveEntry.java > TarArchiveEntry::processPaxHeader() Function Uncaught Runtime Exception DoS > Severity: High > In previous thread it was said that none of the fuzzer findings was > deemed security issues. Were these incorrectly flagged by the > vulnerability scanner? Historically we have never considered uncaught runtime exceptions to be security issues. We've fixed similar issues in the past and still do. So when I said nothing had been a deemed a security issue I meant "deemed by us". Unfortunately the OSS Fuzz classification doesn't match ours. There are a few more cases around 7z that have not been flagged as security issues - I have no idea why not. In all cases corrupt archives may cause RuntimeExceptions (ArrayIndexOutOfBounds, IllegalArgument, BufferUnderflow, ...) rather than IOExceptions. If you try to read archives from untrusted sources, this may lead to unexpected exceptions. > I'd be curious to know if there is planned date for commons-compress > 1.21? There is no planned date I was aware of. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
