* CVE-2013-0248 Description: "The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack." * CVE-2014-0050 Description: "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions." * CVE-2016-3092 Description: "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string."
Given "FILEUPLOAD-279: DiskFileItem can no longer be deserialized, unless a particular system property is set." in the release notes [0], it may be better to just bump to 1.3.3 or even 1.4.x(?) [0] https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f74b87959645481a244bc4513bcee58ea74e663 commit 4f74b87959645481a244bc4513bcee58ea74e663 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2021-05-26 09:05:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-26 12:33:33 +0000 dev-java/commons-fileupload: Remove last-rited pkg Closes: https://bugs.gentoo.org/736577 Bug: https://bugs.gentoo.org/739350 Closes: https://bugs.gentoo.org/785847 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Sam James <sam@gentoo.org> dev-java/commons-fileupload/Manifest | 1 - .../commons-fileupload-1.3.ebuild | 57 ---------------------- .../files/0001-Remove-bogous-manifest-entry.patch | 29 ----------- .../files/0002-Fix-running-tests.patch | 25 ---------- dev-java/commons-fileupload/metadata.xml | 19 -------- profiles/package.mask | 6 --- 6 files changed, 137 deletions(-)
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-39 at https://security.gentoo.org/glsa/202107-39 by GLSA coordinator John Helmert III (ajak).