Advisories » MGASA-2014-0056

Updated plexus-archiver package fixes security vulnerability

Publication date: 12 Feb 2014
Modification date: 19 Sep 2016
Type: security
Affected Mageia releases : 3
CVE: CVE-2012-2098

Description

Algorithmic complexity vulnerability in the sorting algorithms in bzip2
compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress
before 1.4.1 allows remote attackers to cause a denial of service (CPU
consumption) via a file with many repeating inputs (CVE-2012-2098).

plexus-archiver used an embedded copy of the affected code from Apache
Commons Compress, and therefore was affected by this.  It has been patched
to use the apache-commons-compress package, in which this issue has already
been fixed, for bzip2 compression and decompression.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=6331
• https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html
• https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098

SRPMS

3/core

• plexus-archiver-2.3-1.1.mga3