I've been informed via an anonymous e-mail that current stable app-backup/tsm-8.1.6.0-r2 contains a vulnerable log4j. A quick check indeed shows a bundled log4j-1.2.17.
In 8.1.13.3 (just in preparation) log4j has been updated to 2.17.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11629c2e66238b3bf753201af27c3147e3ab5cc9 commit 11629c2e66238b3bf753201af27c3147e3ab5cc9 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2022-01-19 21:48:28 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2022-01-19 21:48:49 +0000 app-backup/tsm: Version (and EAPI) bump Bug: https://bugs.gentoo.org/829189 Bug: https://bugs.gentoo.org/788115 Bug: https://bugs.gentoo.org/831509 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> app-backup/tsm/Manifest | 1 + app-backup/tsm/tsm-8.1.13.3.ebuild | 244 +++++++++++++++++++++++++++++++++++++ 2 files changed, 245 insertions(+)
What's the impact? How privileged does one have to be to exploit the bundled log4j?
Also, thank you for bumping! Please stabilize if suitable (hopefully soon given the other issues).
(In reply to John Helmert III from comment #4) > Also, thank you for bumping! Please stabilize if suitable (hopefully soon > given the other issues). I'll stabilize it myself as soon as I've tested it in real-world.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19615ea1114f61342dcd610a4bedd9e9874b6c16 commit 19615ea1114f61342dcd610a4bedd9e9874b6c16 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2022-01-26 15:01:13 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2022-01-26 15:01:27 +0000 app-backup/tsm: Remove old Bug: https://bugs.gentoo.org/831509 Bug: https://bugs.gentoo.org/829189 Bug: https://bugs.gentoo.org/788115 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> app-backup/tsm/Manifest | 1 - app-backup/tsm/tsm-8.1.6.0-r2.ebuild | 243 ----------------------------------- 2 files changed, 244 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5279a8876e6339a00122fd648893ecfd6bfc9de4 commit 5279a8876e6339a00122fd648893ecfd6bfc9de4 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2022-01-26 15:00:36 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2022-01-26 15:01:24 +0000 app-backup/tsm: stable 8.1.13.3 for amd64 Bug: https://bugs.gentoo.org/831509 Bug: https://bugs.gentoo.org/829189 Bug: https://bugs.gentoo.org/788115 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> app-backup/tsm/tsm-8.1.13.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
We'll presume there's *some* way for anything that might be untrusted to be written by log4j here.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fe3e07b9e738d35142f3a5ca93fd91da657936e6 commit fe3e07b9e738d35142f3a5ca93fd91da657936e6 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-07 02:52:10 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-07 02:58:06 +0000 [ GLSA 202209-02 ] IBM Spectrum Protect: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/788115 Bug: https://bugs.gentoo.org/829189 Bug: https://bugs.gentoo.org/831509 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-02.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
GLSA released, all done!
