CVE-2017-15288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15288): The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
@Maintainers please call for stabilization when ready. Thank you
2.12.4 will also drop the dep on obsolete ant-trax
An automated check of this bug failed - repoman reported dependency errors (30 lines truncated): > dependency.bad dev-lang/scala/scala-2.12.4.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-java/sbt-0.13.13'] > dependency.bad dev-lang/scala/scala-2.12.4.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-java/sbt-0.13.13'] > dependency.bad dev-lang/scala/scala-2.12.4.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['>=dev-java/sbt-0.13.13']
An automated check of this bug failed - repoman reported dependency errors (63 lines truncated): > dependency.bad dev-java/sbt/sbt-0.13.13.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-lang/scala-2.11.8:2.11'] > dependency.bad dev-java/sbt/sbt-0.13.13.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-lang/scala-2.11.8:2.11'] > dependency.bad dev-java/sbt/sbt-0.13.13.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-lang/scala-2.11.8:2.11']
x86 stable
amd64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f2be6ee0e607f7731e2cffdda8d39268ecd1c8f commit 5f2be6ee0e607f7731e2cffdda8d39268ecd1c8f Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2018-11-01 10:49:14 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2018-11-01 10:49:14 +0000 dev-lang/scala: Drop vulnerable versions Bug: https://bugs.gentoo.org/637940 Signed-off-by: Pacho Ramos <pacho@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-lang/scala/Manifest | 176 ---------------- dev-lang/scala/files/scala-2.11.1-no-git.patch | 24 --- dev-lang/scala/files/scala-2.11.2-no-git.patch | 24 --- dev-lang/scala/files/scala-2.11.4-no-git.patch | 24 --- dev-lang/scala/files/scala-2.11.6-no-git.patch | 24 --- dev-lang/scala/files/scala-2.11.7-no-git.patch | 24 --- dev-lang/scala/files/scala-2.11.8-no-git.patch | 24 --- dev-lang/scala/files/scala-2.12.1-no-git.patch | 37 ---- .../scala/files/scala-2.12.1-runner-script.patch | 22 -- dev-lang/scala/files/scala-2.12.2-no-git.patch | 23 --- dev-lang/scala/scala-2.11.1-r2.ebuild | 216 -------------------- dev-lang/scala/scala-2.11.11.ebuild | 224 --------------------- dev-lang/scala/scala-2.11.2-r2.ebuild | 218 -------------------- dev-lang/scala/scala-2.11.4-r1.ebuild | 218 -------------------- dev-lang/scala/scala-2.11.4-r2.ebuild | 218 -------------------- dev-lang/scala/scala-2.11.6-r1.ebuild | 218 -------------------- dev-lang/scala/scala-2.11.7-r1.ebuild | 222 -------------------- dev-lang/scala/scala-2.11.8.ebuild | 222 -------------------- dev-lang/scala/scala-2.12.1.ebuild | 213 -------------------- dev-lang/scala/scala-2.12.2.ebuild | 214 -------------------- 20 files changed, 2585 deletions(-)
This issue was resolved and addressed in GLSA 201812-08 at https://security.gentoo.org/glsa/201812-08 by GLSA coordinator Aaron Bauman (b-man).