Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621876 (CVE-2016-4000) - <dev-java/jython-2.7.0-r2: Unsafe deserialization leads to code execution
Summary: <dev-java/jython-2.7.0-r2: Unsafe deserialization leads to code execution
Status: RESOLVED FIXED
Alias: CVE-2016-4000
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-16 07:46 UTC by Agostino Sarubbo
Modified: 2017-10-29 17:18 UTC (History)
1 user (show)

See Also:
Package list:
=dev-java/jython-2.7.0-r2 amd64 x86
Runtime testing required: Yes
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-16 07:46:59 UTC 
From ${URL} :

It was found that jython is vulnerable to arbitrary code executionby sending a serialized function to the deserializer, which in turn will execute the code.

Upstream issue:

http://bugs.jython.org/issue2454

Upstream patch:

https://hg.python.org/jython/rev/d06e29d100c0

References:

https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 James Le Cuirot gentoo-dev 2017-08-31 21:21:08 UTC 
I have now patched against this in the -r2 revbump. I wonder why there was such a long time between discovery and publication. Upstream still haven't put out a new release.

I would appreciate a little urgency on this one. As well as the security issue, it is also indirectly holding up the removal of Java 7.

Runtime testing would be appreciated. Seeing that the jython2.7 console fires up would be sufficient.
Comment 2 Stabilization helper bot gentoo-dev 2017-08-31 22:00:39 UTC 
An automated check of this bug failed - the following atom is unknown:

dev-java/jython-2.7.0-r2

Please verify the atom list.
Comment 3 James Le Cuirot gentoo-dev 2017-08-31 22:03:24 UTC 
(In reply to Stabilization helper bot from comment #2)
> An automated check of this bug failed - the following atom is unknown:
D'oh, forgot to push.
Comment 4 Myckel Habets (work) 2017-09-15 15:26:12 UTC 
Builds and runs fine on x86. Rdeps build fine as well. Please mark stable for x86.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-03 00:44:11 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-10-25 09:31:31 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 D'juan McDonald (domhnall) 2017-10-27 15:54:34 UTC 
New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 8 Larry the Git Cow gentoo-dev 2017-10-27 18:27:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e509506285cd9c23476eb409931bd752f21fbb0

commit 9e509506285cd9c23476eb409931bd752f21fbb0
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2017-10-27 17:26:17 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-10-27 18:27:41 +0000

    dev-java/jython: remove vulnerable version.
    
    Bug: https://bugs.gentoo.org/621876
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-java/jython/jython-2.7.0.ebuild | 191 ------------------------------------
 dev-java/jython/metadata.xml        |   3 -
 2 files changed, 194 deletions(-)}
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 17:18:50 UTC 
This issue was resolved and addressed in
 GLSA 201710-28 at https://security.gentoo.org/glsa/201710-28
by GLSA coordinator Aaron Bauman (b-man).