Bug#681996: pu: package libcommons-compress-java/1.0-1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

tags 681996 + squeeze
thanks

On Wed, 2012-07-18 at 10:59 -0430, Miguel Landaeta wrote:
> CVE-2012-2098 / #674448 is not fixed yet in stable, so I would like
> to update libcommons-compress-java/1.0-1.
> 
> The security team already confirmed this doesn't warrant a DSA, so
> this should be fixed through a point update.
> 
> A debdiff with the backported patch to fix the issue is attached.

+libcommons-compress-java (1.0-1+squeeze1) stable; urgency=low
+
+  * Team upload.
+  * Fix an algorithmic complexity vulnerability in the sorting algorithms
+    in bzip2 compressing stream. CVE-2012-2098. (Closes: #674448).
+  * Update source format to 3.0 (quilt).

That last change generally isn't okay for stable updates, I'm afraid.

Hmmm, that's quite a large diff. :-(

 main/java/org/apache/commons/compress/compressors/bzip2/BZip2CompressorOutputStream.java |  638 -----
 main/java/org/apache/commons/compress/compressors/bzip2/BlockSort.java                   | 1081 ++++++++++
 test/java/org/apache/commons/compress/compressors/bzip2/BlockSortTest.java               |  171 +

Regards,

Adam