{"id":"MGASA-2022-0009","summary":"Updated osgi-core/apache-commons-compress packages fix security vulnerability","details":"When reading a specially crafted 7Z archive, the construction of the list\nof codecs that decompress an entry can result in an infinite loop. This\ncould be used to mount a denial of service attack against services that\nuse Compress' sevenz package. (CVE-2021-35515)\nWhen reading a specially crafted 7Z archive, Compress can be made to\nallocate large amounts of memory that finally leads to an out of memory\nerror even for very small inputs. This could be used to mount a denial of\nservice attack against services that use Compress' sevenz package.\n(CVE-2021-35516)\nWhen reading a specially crafted TAR archive, Compress can be made to\nallocate large amounts of memory that finally leads to an out of memory\nerror even for very small inputs. This could be used to mount a denial of\nservice attack against services that use Compress' tar package.\n(CVE-2021-35517)\nWhen reading a specially crafted ZIP archive, Compress can be made to\nallocate large amounts of memory that finally leads to an out of memory\nerror even for very small inputs. This could be used to mount a denial of\nservice attack against services that use Compress' zip package.\n(CVE-2021-36090)\n","modified":"2026-04-16T04:40:45.243789101Z","published":"2022-01-11T07:12:42Z","upstream":["CVE-2021-35515","CVE-2021-35516","CVE-2021-35517","CVE-2021-36090"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0009.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29254"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2021/07/13/1"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2021/07/13/2"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2021/07/13/3"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2021/07/13/4"},{"type":"WEB","url":"https://commons.apache.org/proper/commons-compress/security-reports.html"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XVOH7P2WI6SSS2OORQJBS45T5SKKO7BV/"}],"affected":[{"package":{"name":"osgi-core","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/osgi-core?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.0.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0009.json"}},{"package":{"name":"apache-commons-compress","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/apache-commons-compress?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.21-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0009.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}