<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] snappy-java 1.1.2.4 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13576">13576</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] snappy-java 1.1.2.4 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2023-34453, CVE-2023-34454, CVE-2023-34455,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>e.kosachev@rosalinux.ru, s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package snappy-java version 1.1.2.4
INFO (CVEs are): snappy-java 1.1.2.4
cves found
CVE-2023-34453
Desc: snappy-java is a fast compressor/decompressor for Java. Due to unchecked
multiplications, an integer overflow may occur in versions prior to 1.1.10.1,
causing a fatal error.
The function `shuffle(int[] input)` in the file `BitShuffle.java` receives an
array of integers and applies a bit shuffle on it. It does so by multiplying
the length by 4 and passing it to the natively compiled shuffle function. Since
the length is not tested, the multiplication by four can cause an integer
overflow and become a smaller value than the true size, or even zero or
negative. In the case of a negative value, a
`java.lang.NegativeArraySizeException` exception will raise, which can crash
the program. In a case of a value that is zero or too small, the code that
afterwards references the shuffled array will assume a bigger size of the
array, which might cause exceptions such as
`java.lang.ArrayIndexOutOfBoundsException`.
The same issue exists also when using the `shuffle` functions that receive a
double, float, long and short, each using a different multiplier that may cause
the same issue.
Version 1.1.10.1 contains a patch for this vulnerability.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34453">https://nvd.nist.gov/vuln/detail/CVE-2023-34453</a>
Severity: HIGH
CVE-2023-34454
Desc: snappy-java is a fast compressor/decompressor for Java. Due to unchecked
multiplications, an integer overflow may occur in versions prior to 1.1.10.1,
causing an unrecoverable fatal error.
The function `compress(char[] input)` in the file `Snappy.java` receives an
array of characters and compresses it. It does so by multiplying the length by
2 and passing it to the rawCompress` function.
Since the length is not tested, the multiplication by two can cause an integer
overflow and become negative. The rawCompress function then uses the received
length and passes it to the natively compiled maxCompressedLength function,
using the returned value to allocate a byte array.
Since the maxCompressedLength function treats the length as an unsigned
integer, it doesn’t care that it is negative, and it returns a valid value,
which is casted to a signed integer by the Java engine. If the result is
negative, a `java.lang.NegativeArraySizeException` exception will be raised
while trying to allocate the array `buf`. On the other side, if the result is
positive, the `buf` array will successfully be allocated, but its size might be
too small to use for the compression, causing a fatal Access Violation error.
The same issue exists also when using the `compress` functions that receive
double, float, int, long and short, each using a different multiplier that may
cause the same issue. The issue most likely won’t occur when using a byte
array, since creating a byte array of size 0x80000000 (or any other negative
value) is impossible in the first place.
Version 1.1.10.1 contains a patch for this issue.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34454">https://nvd.nist.gov/vuln/detail/CVE-2023-34454</a>
Severity: HIGH
CVE-2023-34455
Desc: snappy-java is a fast compressor/decompressor for Java. Due to use of an
unchecked chunk length, an unrecoverable fatal error can occur in versions
prior to 1.1.10.1.
The code in the function hasNextChunk in the fileSnappyInputStream.java checks
if a given stream has more chunks to read. It does that by attempting to read 4
bytes. If it wasn’t possible to read the 4 bytes, the function returns false.
Otherwise, if 4 bytes were available, the code treats them as the length of the
next chunk.
In the case that the `compressed` variable is null, a byte array is allocated
with the size given by the input data. Since the code doesn’t test the legality
of the `chunkSize` variable, it is possible to pass a negative number (such as
0xFFFFFFFF which is -1), which will cause the code to raise a
`java.lang.NegativeArraySizeException` exception. A worse case would happen
when passing a huge positive value (such as 0x7FFFFFFF), which would raise the
fatal `java.lang.OutOfMemoryError` error.
Version 1.1.10.1 contains a patch for this issue.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34455">https://nvd.nist.gov/vuln/detail/CVE-2023-34455</a>
Severity: HIGH</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>