[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability
From:       Stefan Bodewig <bodewig () apache ! org>
Date:       2021-07-13 4:01:23
Message-ID: 9fb69386-9b78-787a-deef-23433dbecba1 () apache ! org
[Download RAW message or body]

Description:

When reading a specially crafted TAR archive, Compress can be made to =
allocate large amounts of memory that finally leads to an out of memory =
error even for very small inputs. This could be used to mount a denial of =
service attack against services that use Compress' tar package.


Mitigation:

Commons Compress users should upgrade to 1.21 or later.

Credit:

This issue was discovered by OSS Fuzz.

References:

https://commons.apache.org/proper/commons-compress/security-reports.html

[prev in list] [next in list] [prev in thread] [next in thread]