Hi Magnus and all, This was discovered through fuzz testing, basically if some bits in some parts of a file follow some pattern, then the infinite loop kicks in. It only happens if your Commons Compress client code decides to parse a DUMP file.
The ticket https://issues.apache.org/jira/browse/COMPRESS-632 is an umbrella ticket that gathers fuzz testing issues, and it was recently amended with further tests for this specific issue. The PR you show for a different issue. Security issues are NOT reported or discussed in public until a fix is made available in a release. Please see: - https://commons.apache.org/proper/commons-compress/security.html - https://commons.apache.org/security.html Gary On Mon, Feb 19, 2024 at 3:33 PM Reftel, Magnus <magnus.ref...@skatteetaten.no.invalid> wrote: > > Hi, > > Are there any more details on this issue? For instance, under what > circumstances would an application that uses the commons-compress library be > vulnerable? The subject line hints that the flaw is specific to the Dump > format. Is that correct? Are there any options that need to be > enabled/disabled for the application to vulnerable? > Also, is it correct that this is related to what was reported in > https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in > https://github.com/apache/commons-compress/pull/442 ? > > Best Regards > Magnus Reftel > > On 2024/02/19 01:25:47 "Gary D. Gregory" wrote: > > Severity: important > > > > Affected versions: > > > > - Apache Commons Compress 1.3 through 1.25.0 > > > > Description: > > > > Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in > > Apache Commons Compress.This issue affects Apache Commons Compress: from > > 1.3 through 1.25.0. > > > > Users are recommended to upgrade to version 1.26.0 which fixes the issue. > > > > Credit: > > > > Yakov Shafranovich, Amazon Web Services (reporter) > > > > References: > > > > https://commons.apache.org/ > > https://www.cve.org/CVERecord?id=CVE-2024-25710 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > user-unsubscr...@commons.apache.org<mailto:user-unsubscr...@commons.apache.org> > > For additional commands, e-mail: > > user-h...@commons.apache.org<mailto:user-h...@commons.apache.org> > > > > > > ________________________________ > Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den > institusjon eller person den er rettet til og kan vaere belagt med lovbestemt > taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den og kontakt > Skatteetaten. > The contents of this email message and any attachments are intended solely > for the addressee(s) and may contain confidential information and may be > legally protected from disclosure. If you are not the intended recipient of > this message, please immediately delete the message and alert the Norwegian > Tax Administration. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
