On Sat, Jul 21, 2012 at 04:12:24PM +0100, Adam D. Barratt wrote: > +libcommons-compress-java (1.0-1+squeeze1) stable; urgency=low > + > + * Team upload. > + * Fix an algorithmic complexity vulnerability in the sorting algorithms > + in bzip2 compressing stream. CVE-2012-2098. (Closes: #674448). > + * Update source format to 3.0 (quilt). > > That last change generally isn't okay for stable updates, I'm afraid. OK. I reverted that. > Hmmm, that's quite a large diff. :-( > > main/java/org/apache/commons/compress/compressors/bzip2/BZip2CompressorOutputStream.java | 638 ----- > main/java/org/apache/commons/compress/compressors/bzip2/BlockSort.java | 1081 ++++++++++ > test/java/org/apache/commons/compress/compressors/bzip2/BlockSortTest.java | 171 + Yes, the diff is large but I believe it is not intrusive at all: BlockSortTest.java is just a test, it is not shipped in the binary package. All those insertions in BlockSort.java are from refactored code from BZip2CompressorOutputStream.java, because of that there are so many deletions in latter file. After that what remains are few changes that provide a solution for the vulnerability. Cheers, -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/ "Faith means not wanting to know what is true." -- Nietzsche
Attachment:
signature.asc
Description: Digital signature