Ses also https://github.com/google/oss-fuzz/pull/11616/files
Gary On Mon, Feb 19, 2024 at 3:57 PM Gary Gregory <garydgreg...@gmail.com> wrote: > > Hi Magnus and all, > > This was discovered through fuzz testing, basically if some bits in > some parts of a file follow some pattern, then the infinite loop kicks > in. It only happens if your Commons Compress client code decides to > parse a DUMP file. > > The ticket https://issues.apache.org/jira/browse/COMPRESS-632 is an > umbrella ticket that gathers fuzz testing issues, and it was recently > amended with further tests for this specific issue. > > The PR you show for a different issue. > > Security issues are NOT reported or discussed in public until a fix is > made available in a release. > > Please see: > - https://commons.apache.org/proper/commons-compress/security.html > - https://commons.apache.org/security.html > > Gary > > On Mon, Feb 19, 2024 at 3:33 PM Reftel, Magnus > <magnus.ref...@skatteetaten.no.invalid> wrote: > > > > Hi, > > > > Are there any more details on this issue? For instance, under what > > circumstances would an application that uses the commons-compress library > > be vulnerable? The subject line hints that the flaw is specific to the Dump > > format. Is that correct? Are there any options that need to be > > enabled/disabled for the application to vulnerable? > > Also, is it correct that this is related to what was reported in > > https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in > > https://github.com/apache/commons-compress/pull/442 ? > > > > Best Regards > > Magnus Reftel > > > > On 2024/02/19 01:25:47 "Gary D. Gregory" wrote: > > > Severity: important > > > > > > Affected versions: > > > > > > - Apache Commons Compress 1.3 through 1.25.0 > > > > > > Description: > > > > > > Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in > > > Apache Commons Compress.This issue affects Apache Commons Compress: from > > > 1.3 through 1.25.0. > > > > > > Users are recommended to upgrade to version 1.26.0 which fixes the issue. > > > > > > Credit: > > > > > > Yakov Shafranovich, Amazon Web Services (reporter) > > > > > > References: > > > > > > https://commons.apache.org/ > > > https://www.cve.org/CVERecord?id=CVE-2024-25710 > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > > user-unsubscr...@commons.apache.org<mailto:user-unsubscr...@commons.apache.org> > > > For additional commands, e-mail: > > > user-h...@commons.apache.org<mailto:user-h...@commons.apache.org> > > > > > > > > > > ________________________________ > > Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den > > institusjon eller person den er rettet til og kan vaere belagt med > > lovbestemt taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den > > og kontakt Skatteetaten. > > The contents of this email message and any attachments are intended solely > > for the addressee(s) and may contain confidential information and may be > > legally protected from disclosure. If you are not the intended recipient of > > this message, please immediately delete the message and alert the Norwegian > > Tax Administration. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
