842270 – (CVE-2022-29820) <dev-util/pycharm-{community,professional}-2022.1: debugger port exposure

Bug 842270 (CVE-2022-29820) - <dev-util/pycharm-{community,professional}-2022.1: debugger port exposure

Summary: <dev-util/pycharm-{community,professional}-2022.1: debugger port exposure

Status:	IN_PROGRESS

Alias:	CVE-2022-29820

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://www.jetbrains.com/privacy-sec...
Whiteboard:	B4 [glsa? cleanup]
Keywords:

Depends on:	889956
Blocks:
	Show dependency tree

Reported:	2022-05-03 00:48 UTC by John Helmert III
Modified:	2025-02-17 18:03 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-05-03 00:48:43 UTC

CVE-2022-29820:

In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible

Comment 1 John Helmert III archtester

2023-01-06 21:53:42 UTC

Please cleanup.

Comment 2 Stefan Cristian Brindusa 2025-02-10 18:54:36 UTC

tcp6       0      0 127.0.0.1:63342         :::*                    LISTEN      365544/pycharm

Behavior still same, but can be disabled via adding -Didea.builtin.server.disabled=true to custom VM options (Help > Edit Custom VM Options)

https://intellij-support.jetbrains.com/hc/en-us/community/posts/8125278285586-Internal-Local-ports-63342-6942

Comment 3 Larry the Git Cow gentoo-dev

2025-02-17 18:03:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=094772508de6e03f6616b8cf4404d98eed9fa994

commit 094772508de6e03f6616b8cf4404d98eed9fa994
Author:     Stefan Cristian B. <stefan.cristian+git@rogentos.ro>
AuthorDate: 2025-02-17 09:40:31 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2025-02-17 18:03:24 +0000

    dev-util/pycharm-community: version bump 2024.3.2 and bugfixes
    
    * On #876295, implemented the solution discussed with @thesamesam to strip
      debug symbols and relocate them in ${EPREFIX}/opt/${P}.
      JetBrains IDEs have almost identical .build-ids, causing conflicts
      To prevent the conflicts, we relocate debug symbols per package.
      The preferred method is stripping with objcopy and using debugedit to
      point to their new /usr/lib/debug/ location.
    * The #804453 SONAME correction was done earlier than 2024.3.1-r1.
    * Corrected the ful list of LICESNES as per #694270 bug
    * On #842270 port is still exposed
      The port can be closed with configuration by upstream.
      Referal: https://intellij-support.jetbrains.com
      Post name/link: 8125278285586-Internal-Local-ports-63342-6942
    * The #907845 does not reproduce anymore.
    * The #804456 does not reproduce anymore.
    * The #804450 does not reproduce anymore.
    * The #804453 does not reproduce anymore.
    
    Bug: https://bugs.gentoo.org/842270
    Closes: https://bugs.gentoo.org/907845
    Closes: https://bugs.gentoo.org/694270
    Closes: https://bugs.gentoo.org/804456
    Closes: https://bugs.gentoo.org/804450
    Closes: https://bugs.gentoo.org/804453
    Closes: https://bugs.gentoo.org/949338
    Signed-off-by: Stefan Cristian B. <stefan.cristian+git@rogentos.ro>
    Closes: https://github.com/gentoo/gentoo/pull/40450
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 dev-util/pycharm-community/Manifest                |   2 +
 .../pycharm-community-2024.3.2.ebuild              | 203 +++++++++++++++++++++
 2 files changed, 205 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=028156b32a929d4921fa550bd8d3bb259baaca8a

commit 028156b32a929d4921fa550bd8d3bb259baaca8a
Author:     Stefan Cristian B. <stefan.cristian+git@rogentos.ro>
AuthorDate: 2025-02-17 09:34:34 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2025-02-17 18:03:23 +0000

    dev-util/pycharm-professional: version bump 2024.3.2 and bugfixes
    
    * On #876295, implemented the solution discussed with @thesamesam to strip
      debug symbols and relocate them in ${EPREFIX}/opt/${P}.
      JetBrains IDEs have almost identical .build-ids, causing conflicts.
      To prevent the conflicts, we relocate debug symbols per package.
      The preferred method is stripping with objcopy and using debugedit to
      point to their new /usr/lib/debug/ location.
    * The #923766 SONAME correction was done earlier than 2024.3.1-r1.
    * Corrected the full list of LICENSES as per #694272 bug
    * On #842270 port is still exposed.
      The port can be closed with configuration by upstream.
      Referal: https://intellij-support.jetbrains.com
      Post name/link: 8125278285586-Internal-Local-ports-63342-6942
    * The #804450 does not reproduce anymore.
    * The #914286 does not reproduce anymore.
    * The #914287 does not reproduce anymore.
    * The #914285 does not reproduce anymore.
    
    Bug: https://bugs.gentoo.org/842270
    Bug: https://bugs.gentoo.org/876295
    Closes: https://bugs.gentoo.org/923766
    Closes: https://bugs.gentoo.org/914286
    Closes: https://bugs.gentoo.org/914287
    Closes: https://bugs.gentoo.org/914285
    Closes: https://bugs.gentoo.org/949389
    Signed-off-by: Stefan Cristian B. <stefan.cristian+git@rogentos.ro>
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 dev-util/pycharm-professional/Manifest             |   2 +
 .../pycharm-professional-2024.3.2.ebuild           | 203 +++++++++++++++++++++
 2 files changed, 205 insertions(+)