Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to latest commons-compress library #1078

Closed
raducoravu opened this issue Sep 11, 2019 · 2 comments · Fixed by #1133
Closed

Update to latest commons-compress library #1078

raducoravu opened this issue Sep 11, 2019 · 2 comments · Fixed by #1133
Assignees
@rdeltour
Labels
status: has PR The issue is being processed in a pull request type: maintenance The issue is related to a meta task (build system, dependency update, etc)
Milestone
4.2.3

Comments

@raducoravu
Copy link

Update the used commons-compress-1.18.jar to "commons-compress-1.19.jar".

Sonar Type reports the following security vulnerability in the current 1.18 version:

        Description from CVE The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. Explanation
        
        Apache Commons Compress is vulnerable to a Denial of Service (DoS) attack. The encode() method in the NioZipEncoding class fails to account for underflows caused by certain characters during iteration. A remote attacker can exploit this vulnerability by submitting a malicious archive containing file names that contain characters, such as certain umlauts, that exploit this issue. This will cause the application to enter into an infinite loop, ultimately resulting in a DoS condition.
        
        Detection
        
        The application is vulnerable by using this component.
        
        Recommendation
        
        We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
        
        Root Cause commons-compress-1.18.jar <= org/apache/commons/compress/archivers/zip/NioZipEncoding.class : [1.15, 1.19) Advisories Project: https://commons.apache.org/proper/commons-compress/security-... CVSS Details CVE CVSS 3.0: 7.5
        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
@rdeltour
Copy link
Member

Thanks for the report. Let’s try to do it in the next maintenance release.

@rdeltour rdeltour self-assigned this Sep 11, 2019
@rdeltour rdeltour added status: ready for implem The issue is ready to be implemented type: maintenance The issue is related to a meta task (build system, dependency update, etc) labels Sep 11, 2019
@rdeltour rdeltour modified the milestones: 4.2.2, 4.3.3 Sep 11, 2019
@rdeltour rdeltour mentioned this issue Apr 30, 2020
Merged
@rdeltour rdeltour added status: has PR The issue is being processed in a pull request and removed status: ready for implem The issue is ready to be implemented labels Apr 30, 2020
@raducoravu
Copy link
Author

Thanks @rdeltour 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdeltour rdeltour

Labels
status: has PR The issue is being processed in a pull request type: maintenance The issue is related to a meta task (build system, dependency update, etc)
Projects
None yet
Milestone
4.2.3
Development

Successfully merging a pull request may close this issue.

fix: upgrade commons-compress to v1.20 to remediate CVE-2019-12402 w3c/epubcheck
2 participants
@rdeltour @raducoravu