MGASA-2022-0009 - Updated osgi-core/apache-commons-compress packages fix security vulnerability

Publication date: 11 Jan 2022
URL: https://advisories.mageia.org/MGASA-2022-0009.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-35515,
     CVE-2021-35516,
     CVE-2021-35517,
     CVE-2021-36090

When reading a specially crafted 7Z archive, the construction of the list
of codecs that decompress an entry can result in an infinite loop. This
could be used to mount a denial of service attack against services that
use Compress' sevenz package. (CVE-2021-35515)
When reading a specially crafted 7Z archive, Compress can be made to
allocate large amounts of memory that finally leads to an out of memory
error even for very small inputs. This could be used to mount a denial of
service attack against services that use Compress' sevenz package.
(CVE-2021-35516)
When reading a specially crafted TAR archive, Compress can be made to
allocate large amounts of memory that finally leads to an out of memory
error even for very small inputs. This could be used to mount a denial of
service attack against services that use Compress' tar package.
(CVE-2021-35517)
When reading a specially crafted ZIP archive, Compress can be made to
allocate large amounts of memory that finally leads to an out of memory
error even for very small inputs. This could be used to mount a denial of
service attack against services that use Compress' zip package.
(CVE-2021-36090)

References:
- https://bugs.mageia.org/show_bug.cgi?id=29254
- https://www.openwall.com/lists/oss-security/2021/07/13/1
- https://www.openwall.com/lists/oss-security/2021/07/13/2
- https://www.openwall.com/lists/oss-security/2021/07/13/3
- https://www.openwall.com/lists/oss-security/2021/07/13/4
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.opensuse.org/archives/list/[email protected]/thread/XVOH7P2WI6SSS2OORQJBS45T5SKKO7BV/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090

SRPMS:
- 8/core/osgi-core-8.0.0-1.mga8
- 8/core/apache-commons-compress-1.21-1.mga8