Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 405931 (CVE-2012-1007) - <dev-java/struts-2.3.15.2: XSS vulnerability (CVE-2012-1007)
Summary: <dev-java/struts-2.3.15.2: XSS vulnerability (CVE-2012-1007)
Status: RESOLVED FIXED
Alias: CVE-2012-1007
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 487280 488980
Blocks:
  Show dependency tree
 
Reported: 2012-02-26 17:16 UTC by GLSAMaker/CVETool Bot
Modified: 2016-02-07 11:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-02-26 17:16:59 UTC
CVE-2012-1007 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1007):
  Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10
  allow remote attackers to inject arbitrary web script or HTML via (1) the
  name parameter to struts-examples/upload/upload-submit.do, or the message
  parameter to (2) struts-cookbook/processSimple.do or (3)
  struts-cookbook/processDyna.do.


I cannot find a decent security reference for struts 1, but it is quite likely our in-tree version is affected by other vulnerabilities as well.
Comment 1 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-10-02 23:09:16 UTC
+  02 Oct 2013; Tom Wijsman <TomWij@gentoo.org>
+  +files/struts-2.3.15.2-build.xml-apps-package.patch,
+  +files/struts-2.3.15.2-build.xml-classpath.patch,
+  +files/struts-2.3.15.2-build.xml-manifest.patch,
+  +files/struts-2.3.15.2-build.xml-remove-apps-portlet.patch,
+  +files/struts-2.3.15.2-build.xml-remove-core-and-plugins.patch,
+  +struts-2.3.15.2.ebuild:
+  Version bump to 2.3.15.2; for bug #152352, bug #237146, bug #405931 and bug
+  #486752.

Looks like we are going to need some KEYWORDREQ and STABLEREQ bugs; since it is late and have worked half a day on is, I'll look into that tomorrow. If you want to file them before that, feel free to go ahead.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-05 03:24:18 UTC
Long keyword list to get this set up...here goes.
Arches, please test and keyword/mark stable:


dev-java/commons-lang-3.1
dev-java/felix-gogo-runtime-0.10.0
dev-java/felix-shell-1.4.3
dev-java/felix-utils-1.2.0
dev-java/osgi-compendium-4.3.1
dev-java/osgi-foundation-1.2.0-r1
dev-java/ognl-3.0.8
dev-java/struts-2.3.15.2
dev-java/struts-core-2.3.15.2
dev-java/struts-plugins-2.3.15.2
dev-java/struts-xwork-2.3.15.2
Target arches: amd64 ppc x86

dev-java/glassfish-persistence-1.0-r1
dev-java/osgi-core-api-5.0.0
Target arch: ppc
Comment 3 Myckel Habets 2013-10-21 18:10:56 UTC
What about bug 487280? I seem to be hit by it when trying to build struts-xwork.
Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-10-21 21:37:14 UTC
(In reply to Myckel Habets from comment #3)
> What about bug 487280? I seem to be hit by it when trying to build
> struts-xwork.

ercpe has committed some spring-* packages two days ago; so, the only blocker to that bug might be resolved. Today it is too late to look into this, tomorrow my day is fully planned; so, I plan to do this on Wednesday and hope the part of the spring-* packages suffice to resolve the dependencies.

(Due to the way Maven works it satisfied the dependencies using a local repo in which Maven had fetched them; this happened because I forgot to remove them from the build.xml and expected it to rewrite them, which doesn't happen. I'll adapt my test script to clean out the Maven folder and check for the presence of such entries in the classpath of the build.xml to avoid this from ever happening again. The alternative is to use a test chroot; but it is tedious to emerge all the Java dependencies, though I could try to make a script to unmerge all packages that are not in the dependency tree of a package.)

So, expect me to fix struts-* in less than 48 hours; unless it is more urgent, then maybe someone else of the herd might want to look into it tomorrow.

Regardless, stabilization of the non-struts packages can already proceed.
Comment 5 Agostino Sarubbo gentoo-dev 2013-11-04 11:12:06 UTC
CC back the arches when 487280 is resolved.
Comment 6 Patrice Clement gentoo-dev 2016-02-07 11:10:04 UTC
This package has been removed, along with all the struts related ebuilds. See bug 540888.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2016-02-07 11:21:25 UTC
no GLSA for XSS