ArchLinux: 202107-43: ant: denial of service | LinuxSecurity.com

Advisories

Arch Linux Security Advisory ASA-202107-43
==========================================

Severity: Low
Date    : 2021-07-20
CVE-ID  : CVE-2021-36373 CVE-2021-36374
Package : ant
Type    : denial of service
Remote  : No
Link    : https://security.archlinux.org/AVG-2151

Summary
=======

The package ant before version 1.10.11-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 1.10.11-1.

# pacman -Syu "ant>=1.10.11-1"

The problems have been fixed upstream in version 1.10.11.

Workaround
==========

None.

Description
===========

- CVE-2021-36373 (denial of service)

When reading a specially crafted TAR archive, Apache Ant before version
1.10.11 can be made to allocate large amounts of memory that finally
leads to an out of memory error, even for small inputs. This can be
used to disrupt builds using Apache Ant.

- CVE-2021-36374 (denial of service)

When reading a specially crafted ZIP archive, or a derived format,
Apache Ant before version 1.10.11 can be made to allocate large amounts
of memory that leads to an out of memory error, even for small inputs.
This can be used to disrupt builds using Apache Ant.

Impact
======

A crafted TAR or ZIP archive could consume large amounts of memory,
leading to denial of service.

References
==========

https://www.openwall.com/lists/oss-security/2021/07/13/5
https://github.com/apache/ant/commit/6594a2d66f7f060dafcbbf094dd60676db19a842
https://www.openwall.com/lists/oss-security/2021/07/13/6
https://security.archlinux.org/CVE-2021-36373
https://security.archlinux.org/CVE-2021-36374

ArchLinux: 202107-43: ant: denial of service

July 20, 2021
The package ant before version 1.10.11-1 is vulnerable to denial of service

Summary

- CVE-2021-36373 (denial of service)
When reading a specially crafted TAR archive, Apache Ant before version 1.10.11 can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant.
- CVE-2021-36374 (denial of service)
When reading a specially crafted ZIP archive, or a derived format, Apache Ant before version 1.10.11 can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant.

Resolution

Upgrade to 1.10.11-1.
# pacman -Syu "ant>=1.10.11-1"
The problems have been fixed upstream in version 1.10.11.

References

https://www.openwall.com/lists/oss-security/2021/07/13/5 https://github.com/apache/ant/commit/6594a2d66f7f060dafcbbf094dd60676db19a842 https://www.openwall.com/lists/oss-security/2021/07/13/6 https://security.archlinux.org/CVE-2021-36373 https://security.archlinux.org/CVE-2021-36374

Severity
CVE-ID : CVE-2021-36373 CVE-2021-36374
Package : ant
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-2151

Impact

A crafted TAR or ZIP archive could consume large amounts of memory, leading to denial of service.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.