Use apache-commons-compress for bzip2 compression/decompression

Plexus Archiver contains old bzip2 compression and decompression code
which is appearently forked from Apache Ant.  The same code is
currently maintained as part of Apache Commons Compress.

The bundled bzip2 code is very outdated.  It has several bugs, serious
performance problems, including CVE-2012-2098 vulnerability, which can
be used to cause denial of service.

To fix security vulnerability and prevent future problems bundled
bzip2 code is removed and replaced by calls to Apache Commons Compress
library.

Author: mizdebsk

pom.xml

@@ -57,6 +57,11 @@
       <artifactId>plexus-io</artifactId>
       <version>2.0.6</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-compress</artifactId>
+      <version>1.5</version>
+    </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>

src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2Compressor.java

@@ -17,6 +17,7 @@
  *  limitations under the License.
  */
 
+import org.apache.commons.compress.compressors.bzip2.BZip2CompressorOutputStream;
 import org.codehaus.plexus.archiver.ArchiverException;
 import org.codehaus.plexus.archiver.util.Compressor;
 import org.codehaus.plexus.util.IOUtil;
@@ -31,7 +32,7 @@
 public class BZip2Compressor
     extends Compressor
 {
-    private CBZip2OutputStream zOut;
+    private BZip2CompressorOutputStream zOut;
 
     /**
      * perform the GZip compression operation.
@@ -45,7 +46,7 @@ public void compress()
                 new BufferedOutputStream( new FileOutputStream( getDestFile() ) );
             bos.write( 'B' );
             bos.write( 'Z' );
-            zOut = new CBZip2OutputStream( bos );
+            zOut = new BZip2CompressorOutputStream( bos );
             compress( getSource(), zOut );
         }
         catch ( IOException ioe )

src/main/java/org/codehaus/plexus/archiver/bzip2/BZip2Constants.java

@@ -24,6 +24,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 
+import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
 import org.codehaus.plexus.archiver.AbstractUnArchiver;
 import org.codehaus.plexus.archiver.ArchiverException;
 import org.codehaus.plexus.util.IOUtil;
@@ -53,7 +54,7 @@ protected void execute()
                               + getDestFile().getAbsolutePath() );
 
             FileOutputStream out = null;
-            CBZip2InputStream zIn = null;
+            BZip2CompressorInputStream zIn = null;
             FileInputStream fis = null;
             BufferedInputStream bis = null;
             try
@@ -90,7 +91,7 @@ protected void execute()
         }
     }
 
-    public static CBZip2InputStream getBZip2InputStream( InputStream bis )
+    public static BZip2CompressorInputStream getBZip2InputStream( InputStream bis )
         throws IOException
     {
         int b = bis.read();
@@ -103,7 +104,7 @@ public static CBZip2InputStream getBZip2InputStream( InputStream bis )
         {
             return null;
         }
-        return new CBZip2InputStream( bis );
+        return new BZip2CompressorInputStream( bis );
     }
 
     protected void execute( String path, File outputDirectory )