| Name | CVE-2021-35517 |
| Description | When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 991041 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libcommons-compress-java (PTS) | jessie | 1.9-1 | vulnerable |
| stretch | 1.13-1 | vulnerable | |
| buster | 1.18-2+deb10u1 | vulnerable | |
| bullseye | 1.20-1 | vulnerable | |
| bookworm | 1.22-1 | fixed | |
| sid, trixie | 1.25.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libcommons-compress-java | source | (unstable) | 1.21-1 | 991041 |
[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
[buster] - libcommons-compress-java <no-dsa> (Minor issue)
[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2021/07/13/3
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=d0af873e77d16f41edfef7b69da5c8c35c96a650
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=7ce1b0796d6cbe1f41b969583bd49f33ae0efef0
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f
[jessie] - libcommons-compress-java <no-dsa> (Minor issue)