RE: Re: CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
Thank you, that clears things up a lot!
Best Regards
Magnus Reftel
On 2024/02/19 15:57:49 Gary Gregory wrote:
> Hi Magnus and all,
>
> This was discovered through fuzz testing, basically if some bits in
> some parts of a file follow some pattern, then the infinite loop kicks
> in. It only happens if your Commons Compress client code decides to
> parse a DUMP file.
>
> The ticket https://issues.apache.org/jira/browse/COMPRESS-632 is an
> umbrella ticket that gathers fuzz testing issues, and it was recently
> amended with further tests for this specific issue.
>
> The PR you show for a different issue.
>
> Security issues are NOT reported or discussed in public until a fix is
> made available in a release.
>
> Please see:
> - https://commons.apache.org/proper/commons-compress/security.html
> - https://commons.apache.org/security.html
>
> Gary
>
> On Mon, Feb 19, 2024 at 3:33 PM Reftel, Magnus
> mailto:ma...@skatteetaten.no.inva>lid> wrote:
> >
> > Hi,
> >
> > Are there any more details on this issue? For instance, under what
> > circumstances would an application that uses the commons-compress library
> > be vulnerable? The subject line hints that the flaw is specific to the Dump
> > format. Is that correct? Are there any options that need to be
> > enabled/disabled for the application to vulnerable?
> > Also, is it correct that this is related to what was reported in
> > https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in
> > https://github.com/apache/commons-compress/pull/442 ?
> >
> > Best Regards
> > Magnus Reftel
> >
> > On 2024/02/19 01:25:47 "Gary D. Gregory" wrote:
> > > Severity: important
> > >
> > > Affected versions:
> > >
> > > - Apache Commons Compress 1.3 through 1.25.0
> > >
> > > Description:
> > >
> > > Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in
> > > Apache Commons Compress.This issue affects Apache Commons Compress: from
> > > 1.3 through 1.25.0.
> > >
> > > Users are recommended to upgrade to version 1.26.0 which fixes the issue.
> > >
> > > Credit:
> > >
> > > Yakov Shafranovich, Amazon Web Services (reporter)
> > >
> > > References:
> > >
> > > https://commons.apache.org/
> > > https://www.cve.org/CVERecord?id=CVE-2024-25710
> > >
> > >
> > > -
> > > To unsubscribe, e-mail:
> > > user-unsubscr...@commons.apache.orgmailto:ma...@commons.apache.org>>
> > > For additional commands, e-mail:
> > > user-h...@commons.apache.orgmailto:ma...@commons.apache.org>>
> > >
> > >
> >
> >
> > Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den
> > institusjon eller person den er rettet til og kan vaere belagt med
> > lovbestemt taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den
> > og kontakt Skatteetaten.
> > The contents of this email message and any attachments are intended solely
> > for the addressee(s) and may contain confidential information and may be
> > legally protected from disclosure. If you are not the intended recipient of
> > this message, please immediately delete the message and alert the Norwegian
> > Tax Administration.
>
> -
> To unsubscribe, e-mail:
> user-unsubscr...@commons.apache.org
> For additional commands, e-mail:
> user-h...@commons.apache.org
>
>
Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den
institusjon eller person den er rettet til og kan være belagt med lovbestemt
taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den og kontakt
Skatteetaten.
The contents of this email message and any attachments are intended solely for
the addressee(s) and may contain confidential information and may be legally
protected from disclosure. If you are not the intended recipient of this
message, please immediately delete the message and alert the Norwegian Tax
Administration.
Re: CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
Ses also https://github.com/google/oss-fuzz/pull/11616/files
Gary
On Mon, Feb 19, 2024 at 3:57 PM Gary Gregory wrote:
>
> Hi Magnus and all,
>
> This was discovered through fuzz testing, basically if some bits in
> some parts of a file follow some pattern, then the infinite loop kicks
> in. It only happens if your Commons Compress client code decides to
> parse a DUMP file.
>
> The ticket https://issues.apache.org/jira/browse/COMPRESS-632 is an
> umbrella ticket that gathers fuzz testing issues, and it was recently
> amended with further tests for this specific issue.
>
> The PR you show for a different issue.
>
> Security issues are NOT reported or discussed in public until a fix is
> made available in a release.
>
> Please see:
> - https://commons.apache.org/proper/commons-compress/security.html
> - https://commons.apache.org/security.html
>
> Gary
>
> On Mon, Feb 19, 2024 at 3:33 PM Reftel, Magnus
> wrote:
> >
> > Hi,
> >
> > Are there any more details on this issue? For instance, under what
> > circumstances would an application that uses the commons-compress library
> > be vulnerable? The subject line hints that the flaw is specific to the Dump
> > format. Is that correct? Are there any options that need to be
> > enabled/disabled for the application to vulnerable?
> > Also, is it correct that this is related to what was reported in
> > https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in
> > https://github.com/apache/commons-compress/pull/442 ?
> >
> > Best Regards
> > Magnus Reftel
> >
> > On 2024/02/19 01:25:47 "Gary D. Gregory" wrote:
> > > Severity: important
> > >
> > > Affected versions:
> > >
> > > - Apache Commons Compress 1.3 through 1.25.0
> > >
> > > Description:
> > >
> > > Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in
> > > Apache Commons Compress.This issue affects Apache Commons Compress: from
> > > 1.3 through 1.25.0.
> > >
> > > Users are recommended to upgrade to version 1.26.0 which fixes the issue.
> > >
> > > Credit:
> > >
> > > Yakov Shafranovich, Amazon Web Services (reporter)
> > >
> > > References:
> > >
> > > https://commons.apache.org/
> > > https://www.cve.org/CVERecord?id=CVE-2024-25710
> > >
> > >
> > > -
> > > To unsubscribe, e-mail:
> > > user-unsubscr...@commons.apache.org
> > > For additional commands, e-mail:
> > > user-h...@commons.apache.org
> > >
> > >
> >
> >
> > Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den
> > institusjon eller person den er rettet til og kan vaere belagt med
> > lovbestemt taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den
> > og kontakt Skatteetaten.
> > The contents of this email message and any attachments are intended solely
> > for the addressee(s) and may contain confidential information and may be
> > legally protected from disclosure. If you are not the intended recipient of
> > this message, please immediately delete the message and alert the Norwegian
> > Tax Administration.
-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
Re: CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
Hi Magnus and all,
This was discovered through fuzz testing, basically if some bits in
some parts of a file follow some pattern, then the infinite loop kicks
in. It only happens if your Commons Compress client code decides to
parse a DUMP file.
The ticket https://issues.apache.org/jira/browse/COMPRESS-632 is an
umbrella ticket that gathers fuzz testing issues, and it was recently
amended with further tests for this specific issue.
The PR you show for a different issue.
Security issues are NOT reported or discussed in public until a fix is
made available in a release.
Please see:
- https://commons.apache.org/proper/commons-compress/security.html
- https://commons.apache.org/security.html
Gary
On Mon, Feb 19, 2024 at 3:33 PM Reftel, Magnus
wrote:
>
> Hi,
>
> Are there any more details on this issue? For instance, under what
> circumstances would an application that uses the commons-compress library be
> vulnerable? The subject line hints that the flaw is specific to the Dump
> format. Is that correct? Are there any options that need to be
> enabled/disabled for the application to vulnerable?
> Also, is it correct that this is related to what was reported in
> https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in
> https://github.com/apache/commons-compress/pull/442 ?
>
> Best Regards
> Magnus Reftel
>
> On 2024/02/19 01:25:47 "Gary D. Gregory" wrote:
> > Severity: important
> >
> > Affected versions:
> >
> > - Apache Commons Compress 1.3 through 1.25.0
> >
> > Description:
> >
> > Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in
> > Apache Commons Compress.This issue affects Apache Commons Compress: from
> > 1.3 through 1.25.0.
> >
> > Users are recommended to upgrade to version 1.26.0 which fixes the issue.
> >
> > Credit:
> >
> > Yakov Shafranovich, Amazon Web Services (reporter)
> >
> > References:
> >
> > https://commons.apache.org/
> > https://www.cve.org/CVERecord?id=CVE-2024-25710
> >
> >
> > -
> > To unsubscribe, e-mail:
> > user-unsubscr...@commons.apache.org
> > For additional commands, e-mail:
> > user-h...@commons.apache.org
> >
> >
>
>
> Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den
> institusjon eller person den er rettet til og kan vaere belagt med lovbestemt
> taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den og kontakt
> Skatteetaten.
> The contents of this email message and any attachments are intended solely
> for the addressee(s) and may contain confidential information and may be
> legally protected from disclosure. If you are not the intended recipient of
> this message, please immediately delete the message and alert the Norwegian
> Tax Administration.
-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
RE: CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
Hi,
Are there any more details on this issue? For instance, under what
circumstances would an application that uses the commons-compress library be
vulnerable? The subject line hints that the flaw is specific to the Dump
format. Is that correct? Are there any options that need to be enabled/disabled
for the application to vulnerable?
Also, is it correct that this is related to what was reported in
https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in
https://github.com/apache/commons-compress/pull/442 ?
Best Regards
Magnus Reftel
On 2024/02/19 01:25:47 "Gary D. Gregory" wrote:
> Severity: important
>
> Affected versions:
>
> - Apache Commons Compress 1.3 through 1.25.0
>
> Description:
>
> Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in
> Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3
> through 1.25.0.
>
> Users are recommended to upgrade to version 1.26.0 which fixes the issue.
>
> Credit:
>
> Yakov Shafranovich, Amazon Web Services (reporter)
>
> References:
>
> https://commons.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2024-25710
>
>
> -
> To unsubscribe, e-mail:
> user-unsubscr...@commons.apache.org
> For additional commands, e-mail:
> user-h...@commons.apache.org
>
>
Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den
institusjon eller person den er rettet til og kan vaere belagt med lovbestemt
taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den og kontakt
Skatteetaten.
The contents of this email message and any attachments are intended solely for
the addressee(s) and may contain confidential information and may be legally
protected from disclosure. If you are not the intended recipient of this
message, please immediately delete the message and alert the Norwegian Tax
Administration.
