Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Mageia 8 MGASA-2022-0009 Moderate: Apache-Commons Compress DoS

mageia
Calendar Grey January 11, 2022
Dist Mageia Esm H88
MGASA-2022-0010 security patch resolves critical vulnerabilities in Encrypt modules that could lead to unauthorized data exposure.
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop

Summary

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. (CVE-2021-35515) When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. (CVE-2021-35516) When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. (CVE-2021-35517) When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of m...

References

- https://bugs.mageia.org/show_bug.cgi?id=29254

- https://www.openwall.com/lists/oss-security/2021/07/13/1

- https://www.openwall.com/lists/oss-security/2021/07/13/2

- https://www.openwall.com/lists/oss-security/2021/07/13/3

- https://www.openwall.com/lists/oss-security/2021/07/13/4

- -

- https://www.cve.org/CVERecord?id=CVE-2021-35515

- https://www.cve.org/CVERecord?id=CVE-2021-35516

- https://www.cve.org/CVERecord?id=CVE-2021-35517

- https://www.cve.org/CVERecord?id=CVE-2021-36090

Topics%20covered

Topics Covered

security advisory denial of service apache commons mageia compress osgi core

Resolution

SRPMS

- 8/core/osgi-core-8.0.0-1.mga8

- 8/core/apache-commons-compress-1.21-1.mga8

Publication date: 11 Jan 2022
URL: https://advisories.mageia.org/MGASA-2022-0009.html
Type: security
CVE: CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

Topics%20covered

Topics Covered

security advisory denial of service apache commons mageia compress osgi core

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here