https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Bug ID: 1982336 Summary: CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: abenaiss@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, bbaranow@redhat.com, bibryam@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, fjuma@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, hbraun@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, jaromir.capik@email.cz, java-maint-sig@lists.fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jcoleman@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jrokos@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msrb@redhat.com, msvehla@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pantinor@redhat.com, pbhattac@redhat.com, pjindal@redhat.com, pmackay@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rwagner@redhat.com, sd-operator-metering@redhat.com, smaestri@redhat.com, spinder@redhat.com, sponnaga@redhat.com, tcunning@redhat.com, tflannag@redhat.com, theute@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, tzimanyi@redhat.com, vbobade@redhat.com, yborgess@redhat.com Target Milestone: --- Classification: Other
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Reference: https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00c...
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1982339, 1982337, 1982338
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1982337 [Bug 1982337] CVE-2021-36373 ant:1.10/ant: excessive memory allocation when reading a specially crafted TAR archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1982338 [Bug 1982338] CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1982339 [Bug 1982339] CVE-2021-36373 javapackages-bootstrap:202001/ant: excessive memory allocation when reading a specially crafted TAR archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created ant tracking bugs for this issue:
Affects: fedora-all [bug 1982338]
Created ant:1.10/ant tracking bugs for this issue:
Affects: fedora-all [bug 1982337]
Created javapackages-bootstrap:202001/ant tracking bugs for this issue:
Affects: fedora-all [bug 1982339]
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1982341
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |Apache Ant 1.9.16, Ant | |1.10.11
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
--- Comment #8 from Hardik Vyas hvyas@redhat.com --- Upstream fix: https://github.com/apache/ant/commit/6594a2d66f7f060dafcbbf094dd60676db19a84...
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1988326, 1988327, 1988325, | |1988329, 1988328
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|medium |low Priority|medium |low
https://bugzilla.redhat.com/show_bug.cgi?id=1982336 Bug 1982336 depends on bug 1982338, which changed state.
Bug 1982338 Summary: CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1982338
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE
https://bugzilla.redhat.com/show_bug.cgi?id=1982336 Bug 1982336 depends on bug 1982339, which changed state.
Bug 1982339 Summary: CVE-2021-36373 javapackages-bootstrap:202001/ant: excessive memory allocation when reading a specially crafted TAR archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1982339
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1982336 Bug 1982336 depends on bug 1982337, which changed state.
Bug 1982337 Summary: CVE-2021-36373 ant:1.10/ant: excessive memory allocation when reading a specially crafted TAR archive [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1982337
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHPAM 7.13.0 async
Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:5903
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
--- Comment #25 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-36373
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ERRATA Status|NEW |CLOSED Last Closed| |2022-08-31 17:55:52
java-sig-commits@lists.fedoraproject.org