Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 847817 - dev-embedded/arduino-1.8.19: multiple bundled jars, some with vulnerabilities
Summary: dev-embedded/arduino-1.8.19: multiple bundled jars, some with vulnerabilities
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Embedded Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 69972 CVE-2020-11988
  Show dependency tree
 
Reported: 2022-05-27 15:21 UTC by Volkmar W. Pogatzki
Modified: 2022-08-22 20:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volkmar W. Pogatzki 2022-05-27 15:21:09 UTC
$ qlist arduino | grep jar
/usr/share/arduino/lib/jna-platform-4.2.2.jar
/usr/share/arduino/lib/jna-4.2.2.jar
/usr/share/arduino/lib/arduino-core.jar
/usr/share/arduino/lib/pde.jar
/usr/share/arduino/lib/xmlgraphics-commons-2.0.jar
/usr/share/arduino/lib/xml-apis-ext-1.3.04.jar
/usr/share/arduino/lib/xml-apis-1.3.04.jar
/usr/share/arduino/lib/slf4j-simple-1.7.22.jar
/usr/share/arduino/lib/slf4j-api-1.7.22.jar
/usr/share/arduino/lib/rsyntaxtextarea-3.0.3-SNAPSHOT.jar
/usr/share/arduino/lib/jtouchbar-1.0.0.jar
/usr/share/arduino/lib/jssc-2.8.0-arduino4.jar
/usr/share/arduino/lib/jsch-0.1.50.jar
/usr/share/arduino/lib/jmdns-3.5.5.jar
/usr/share/arduino/lib/java-semver-0.8.0.jar
/usr/share/arduino/lib/jackson-databind-2.9.5.jar
/usr/share/arduino/lib/jackson-core-2.9.5.jar
/usr/share/arduino/lib/jackson-annotations-2.9.5.jar
/usr/share/arduino/lib/commons-net-3.3.jar
/usr/share/arduino/lib/commons-logging-1.0.4.jar
/usr/share/arduino/lib/commons-lang3-3.8.1.jar
/usr/share/arduino/lib/commons-io-2.6.jar
/usr/share/arduino/lib/commons-httpclient-3.1.jar
/usr/share/arduino/lib/commons-exec-1.1.jar
/usr/share/arduino/lib/commons-compress-1.8.jar
/usr/share/arduino/lib/commons-codec-1.7.jar
/usr/share/arduino/lib/bcprov-jdk15on-152.jar
/usr/share/arduino/lib/bcpg-jdk15on-152.jar
/usr/share/arduino/lib/batik-xml-1.8.jar
/usr/share/arduino/lib/batik-util-1.8.jar
/usr/share/arduino/lib/batik-transcoder-1.8.jar
/usr/share/arduino/lib/batik-svgpp-1.8.jar
/usr/share/arduino/lib/batik-svg-dom-1.8.jar
/usr/share/arduino/lib/batik-squiggle-1.8.jar
/usr/share/arduino/lib/batik-script-1.8.jar
/usr/share/arduino/lib/batik-rasterizer-1.8.jar
/usr/share/arduino/lib/batik-parser-1.8.jar
/usr/share/arduino/lib/batik-gvt-1.8.jar
/usr/share/arduino/lib/batik-ext-1.8.jar
/usr/share/arduino/lib/batik-dom-1.8.jar
/usr/share/arduino/lib/batik-css-1.8.jar
/usr/share/arduino/lib/batik-codec-1.8.jar
/usr/share/arduino/lib/batik-bridge-1.8.jar
/usr/share/arduino/lib/batik-awt-util-1.8.jar
/usr/share/arduino/lib/batik-anim-1.8.jar
/usr/share/arduino/lib/batik-1.8.jar
/usr/share/arduino/lib/apple.jar
/usr/share/arduino/tools/WiFi101/tool/WiFi101.jar

Most of them have up-to-date versions in the tree.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-16 21:36:49 UTC
vaukai, security@ would be very grateful if you could track down the vulnerabilities here
Comment 2 Volkmar W. Pogatzki 2022-08-17 06:20:31 UTC
(In reply to John Helmert III from comment #1)
> vaukai, security@ would be very grateful if you could track down the
> vulnerabilities here

* /usr/share/arduino/lib/xmlgraphics-commons-2.0.jar
  CVE-2020-11988
  (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988)

* /usr/share/arduino/lib/batik-*-1.8.jar
  CVE-2020-11987
  (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987)

* /usr/share/arduino/lib/jackson-databind-2.9.5.jar
  Direct vulnerabilities:
  CVE-2021-20190
  CVE-2020-9548
  CVE-2020-9547
  CVE-2020-9546
  CVE-2020-36518
  CVE-2020-36188
  CVE-2020-36186
  CVE-2020-36184
  CVE-2020-36182
  CVE-2020-36180
  CVE-2020-35491
  CVE-2020-25649
  CVE-2020-24616
  CVE-2020-14062
  CVE-2020-14060
  CVE-2020-11619
  CVE-2020-11112
  CVE-2020-10969
  CVE-2020-10673
  CVE-2020-10650
  CVE-2019-17531
  CVE-2019-16943
  CVE-2019-16335
  CVE-2019-14892
  CVE-2019-14439
  CVE-2019-12814
  CVE-2019-12086
  CVE-2018-19361
  CVE-2018-14721
  CVE-2018-14719
  CVE-2018-12023
  CVE-2018-11307
  (https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.5)

* /usr/share/arduino/lib/bcprov-jdk15on-152.jar
  CVE-2020-15522
  (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-22 20:56:00 UTC
Actually, according to matthews on irc, there shouldn't be any security impact here. The package having so many vulnerable jar's is problematic, but not from a security perspective as it is not a problem with the trust model of the package.