CVE-2021-36090

NameCVE-2021-36090
DescriptionWhen reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs991041

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-compress-java (PTS)jessie1.9-1vulnerable
stretch1.13-1vulnerable
buster1.18-2+deb10u1vulnerable
bullseye1.20-1vulnerable
bookworm1.22-1fixed
sid, trixie1.25.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcommons-compress-javasource(unstable)1.21-1991041

Notes

[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
[buster] - libcommons-compress-java <no-dsa> (Minor issue)
[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2021/07/13/4
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ef5d70b625000e38404194aaab311b771c44efda
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f
[jessie] - libcommons-compress-java <no-dsa> (Minor issue)
Search for package or bug name: Reporting problems