Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619770 - dev-java/jad-bin: Arbitrary code execution
Summary: dev-java/jad-bin: Arbitrary code execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 621260
Blocks:
  Show dependency tree
 
Reported: 2017-05-26 18:44 UTC by Sebastian Pipping
Modified: 2018-04-29 18:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2017-05-26 18:44:56 UTC 
I ran into this exploit:

  JAD java Decompiler 1.5.8e - Local Buffer Overflow
  https://www.exploit-db.com/exploits/42076/

If it works, maybe package.mask the package?
Comment 1 James Le Cuirot gentoo-dev 2017-05-30 22:25:13 UTC 
(In reply to Sebastian Pipping from comment #0)
> If it works, maybe package.mask the package?

There's not much else you can do, short of last-riting it. It's proprietary and upstream is dead.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-05-31 08:23:56 UTC 
Thanks for the report. package.mask / lastrite is the way to go, I have a personal preference for the latter, if non-maintained maybe it fits better in an overlay.

Please note reverse dependencies (behind jad use flag) for dev-lisp/abcl
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 14:46:14 UTC 
CC'ing treecleaners to proceed with removal.


* These packages depend on dev-java/jad-bin:
dev-lisp/abcl-0.0.9-r1 (jad ? dev-java/jad-bin)
dev-lisp/abcl-0.20.0 (jad ? dev-java/jad-bin)
Comment 4 Ian Schram 2018-04-21 07:43:30 UTC 
linked is a long commandline buffer overflow on a non-setuid.
I don't see many realistic vectors of feeding an 8k+ argument to the jad binary.
This bug has been known since 2010.

Regardless of course there are other bugs, and upstream is dead.
Comment 5 Pacho Ramos gentoo-dev 2018-04-29 18:03:12 UTC 
removed