872695 – (CVE-2022-36944) dev-lang/scala <dev-lang/scala-bin-2.13.9: deserialization gadget chain

Bug 872695 (CVE-2022-36944) - dev-lang/scala <dev-lang/scala-bin-2.13.9: deserialization gadget chain

Summary: dev-lang/scala <dev-lang/scala-bin-2.13.9: deserialization gadget chain

Status:	RESOLVED FIXED

Alias:	CVE-2022-36944

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/scala/scala/pull/1...
Whiteboard:	B4 [noglsa]
Keywords:	PullRequest

Depends on:	909324
Blocks:
	Show dependency tree

Reported:	2022-09-24 19:59 UTC by John Helmert III
Modified:	2023-07-05 15:51 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/31661
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-09-24 19:59:42 UTC

CVE-2022-36944:

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

This seems to only be a mitigation against certain kinds of
vulnerabilities in Scala programs, so no GLSA. Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2022-09-28 15:39:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e35d7d6b7a1e56e29fb6e515693208ab0ba370c9

commit e35d7d6b7a1e56e29fb6e515693208ab0ba370c9
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-09-28 15:38:31 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-09-28 15:39:46 +0000

    dev-lang/scala-bin: add 2.13.9
    
    Bug: https://bugs.gentoo.org/872695
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-lang/scala-bin/Manifest                |  1 +
 dev-lang/scala-bin/scala-bin-2.13.9.ebuild | 77 ++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)

Comment 2 John Helmert III archtester

2022-09-28 22:50:16 UTC

Thanks Flow! Not sure how I missed the existence of scala-bin.

I'm not sure if we can trust the CVE's assertion that this only affects Scala 2.13.x, so keeping at [ebuild] for now for dev-lang/scala itself. Please stabilize scala-bin-2.13.9 when ready.

Comment 3 Larry the Git Cow gentoo-dev

2023-06-29 06:09:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e44201d7f3ae177c3b8449d53e55fa71ff229c7

commit 0e44201d7f3ae177c3b8449d53e55fa71ff229c7
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-06-28 17:55:24 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-06-29 06:08:55 +0000

    dev-lang/scala-bin: drop 2.13.6
    
    Bug: https://bugs.gentoo.org/872695
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/31661
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-lang/scala-bin/Manifest                |  1 -
 dev-lang/scala-bin/scala-bin-2.13.6.ebuild | 77 ------------------------------
 2 files changed, 78 deletions(-)

Comment 4 John Helmert III archtester

2023-07-05 15:50:44 UTC

Actually, it looks like LazyLists are a 2.13 feature of Scala, so scala itself isn't affected. All done.