Use apache-commons-compress for bzip2 compression/decompression

Plexus Archiver contains old bzip2 compression and decompression code which is appearently forked from Apache Ant. The same code is currently maintained as part of Apache Commons Compress. The bundled bzip2 code is very outdated. It has several bugs, serious performance problems, including CVE-2012-2098 vulnerability, which can be used to cause denial of service. To fix security vulnerability and prevent future problems bundled bzip2 code is removed and replaced by calls to Apache Commons Compress library.
sochotnicky · Apr 11, 2013 · ce4bf4c · ce4bf4c
1 parent a82c2b4
commit ce4bf4c
Show file tree

Hide file tree

Showing 9 changed files with 16 additions and 3,182 deletions.
diff --git a/pom.xml b/pom.xml
@@ -57,6 +57,11 @@
       <artifactId>plexus-io</artifactId>
       <version>2.0.6</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-compress</artifactId>
+      <version>1.5</version>
+    </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>

diff --git a/src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2Compressor.java b/src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2Compressor.java
@@ -17,6 +17,7 @@
  *  limitations under the License.
  */
 
+import org.apache.commons.compress.compressors.bzip2.BZip2CompressorOutputStream;
 import org.codehaus.plexus.archiver.ArchiverException;
 import org.codehaus.plexus.archiver.util.Compressor;
 import org.codehaus.plexus.util.IOUtil;
@@ -31,7 +32,7 @@
 public class BZip2Compressor
     extends Compressor
 {
-    private CBZip2OutputStream zOut;
+    private BZip2CompressorOutputStream zOut;
 
     /**
      * perform the GZip compression operation.
@@ -45,7 +46,7 @@ public void compress()
                 new BufferedOutputStream( new FileOutputStream( getDestFile() ) );
             bos.write( 'B' );
             bos.write( 'Z' );
-            zOut = new CBZip2OutputStream( bos );
+            zOut = new BZip2CompressorOutputStream( bos );
             compress( getSource(), zOut );
         }
         catch ( IOException ioe )

diff --git a/src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2Constants.java b/src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2Constants.java
diff --git a/src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2UnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2UnArchiver.java
@@ -24,6 +24,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 
+import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
 import org.codehaus.plexus.archiver.AbstractUnArchiver;
 import org.codehaus.plexus.archiver.ArchiverException;
 import org.codehaus.plexus.util.IOUtil;
@@ -53,7 +54,7 @@ protected void execute()
                               + getDestFile().getAbsolutePath() );
 
             FileOutputStream out = null;
-            CBZip2InputStream zIn = null;
+            BZip2CompressorInputStream zIn = null;
             FileInputStream fis = null;
             BufferedInputStream bis = null;
             try
@@ -90,7 +91,7 @@ protected void execute()
         }
     }
 
-    public static CBZip2InputStream getBZip2InputStream( InputStream bis )
+    public static BZip2CompressorInputStream getBZip2InputStream( InputStream bis )
         throws IOException
     {
         int b = bis.read();
@@ -103,7 +104,7 @@ public static CBZip2InputStream getBZip2InputStream( InputStream bis )
         {
             return null;
         }
-        return new CBZip2InputStream( bis );
+        return new BZip2CompressorInputStream( bis );
     }
 
     protected void execute( String path, File outputDirectory )