Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 782568 (CVE-2021-29425) - <dev-java/commons-io-2.8.0: path traversal vulnerability
Summary: <dev-java/commons-io-2.8.0: path traversal vulnerability
Status: IN_PROGRESS
Alias: CVE-2021-29425
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-12 21:48 UTC by John Helmert III
Modified: 2022-06-02 22:07 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/commons-io-2.8.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-12 21:48:28 UTC
CVE-2021-29425:

In Apache Commons IO before 2.7, When invoking the method
FileNameUtils.normalize with an improper input string, like
"//../foo", or "\\..\foo", the result would be the same value, thus
possibly providing access to files in the parent directory, but not
further above (thus "limited" path traversal), if the calling code
would use the result to construct a path value.


Fixed in >=2.7. Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-13 10:30:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a69dc4ba502fc196b8e498fd7c9b3edd1c2822de

commit a69dc4ba502fc196b8e498fd7c9b3edd1c2822de
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-13 10:30:17 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-13 10:30:17 +0000

    dev-java/commons-io: bump to 2.8.0
    
    Bug: https://bugs.gentoo.org/736579
    Bug: https://bugs.gentoo.org/758371
    Bug: https://bugs.gentoo.org/779499
    Bug: https://bugs.gentoo.org/782568
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-io/Manifest                |  1 +
 dev-java/commons-io/commons-io-2.8.0.ebuild | 33 +++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
Comment 2 Miroslav Šulc gentoo-dev 2021-04-13 10:32:30 UTC
i'd give it a week or so whether some issues pop up or not. if no issues then it can go stable.
Comment 3 Miroslav Šulc gentoo-dev 2021-04-26 05:11:18 UTC
we can proceed with the stabilization
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 19:08:07 UTC
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 19:09:37 UTC
x86 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-27 18:08:55 UTC
ppc64 done

all arches done
Comment 7 Larry the Git Cow gentoo-dev 2021-04-27 18:18:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2aaac17e1fb49fe8bce439d36b751f5c8dcc6f5

commit c2aaac17e1fb49fe8bce439d36b751f5c8dcc6f5
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-27 18:18:37 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-27 18:18:37 +0000

    dev-java/commons-io: removed obsolete and vulnerable 2.4
    
    Bug: https://bugs.gentoo.org/782568
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-io/Manifest              |  1 -
 dev-java/commons-io/commons-io-2.4.ebuild | 58 -------------------------------
 2 files changed, 59 deletions(-)
Comment 8 Miroslav Šulc gentoo-dev 2021-04-27 18:19:06 UTC
the tree is clean now, you can proceed.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 13:34:30 UTC
Thank you!
Comment 10 NATTkA bot gentoo-dev 2021-10-26 06:44:51 UTC
Unable to check for sanity:

> no match for package: dev-java/commons-io-2.8.0