Bugzilla – Bug 1188468
VUL-0: CVE-2021-36373: ant: excessive memory allocation when reading a specially crafted TAR archive
Last modified: 2022-08-26 12:50:37 UTC
rh#1982336 When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Upstream fix: https://ant.apache.org/security.html https://github.com/apache/ant/commit/6594a2d66f7f060dafcbbf094dd60676db19a842/ Reference: https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E https://bugzilla.redhat.com/show_bug.cgi?id=1982336 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36373 http://seclists.org/oss-sec/2021/q3/13 http://www.cvedetails.com/cve/CVE-2021-36373/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373 https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E https://ant.apache.org/security.html https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
SUSE-SU-2022:1417-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1188468,1188469 CVE References: CVE-2021-36373,CVE-2021-36374 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ant-1.9.4-3.9.1, ant-antlr-1.9.4-3.9.1 SUSE Linux Enterprise Server 12-SP5 (src): ant-1.9.4-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1418-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1188468,1188469 CVE References: CVE-2021-36373,CVE-2021-36374 JIRA References: Sources used: openSUSE Leap 15.4 (src): ant-1.10.7-150200.4.6.1, ant-antlr-1.10.7-150200.4.6.1, ant-junit-1.10.7-150200.4.6.1, ant-junit5-1.10.7-150200.4.6.1 openSUSE Leap 15.3 (src): ant-1.10.7-150200.4.6.1, ant-antlr-1.10.7-150200.4.6.1, ant-junit-1.10.7-150200.4.6.1, ant-junit5-1.10.7-150200.4.6.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): ant-1.10.7-150200.4.6.1, ant-antlr-1.10.7-150200.4.6.1, ant-junit-1.10.7-150200.4.6.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): ant-1.10.7-150200.4.6.1, ant-antlr-1.10.7-150200.4.6.1, ant-junit-1.10.7-150200.4.6.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): ant-1.10.7-150200.4.6.1, ant-antlr-1.10.7-150200.4.6.1, ant-junit-1.10.7-150200.4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Hi Otto, it is actually maintained as you can see from smelt [0] but only on "disabled" channels. That's a little bit cryptic, it actually means that SUSE:SLE-15:Update/ant is only shipped to LTSS products. For LTSS we are only committed on fixing CVE with a CVSS >= 7, so in that case we can skip this codestream. No additional actions are required from your side, I close the bug. [0] https://smelt.suse.de/maintained/?q=ant