908513 – (CVE-2023-2976) <dev-java/guava-32.1.2: insecure temporary directory creation

Bug 908513 (CVE-2023-2976) - <dev-java/guava-32.1.2: insecure temporary directory creation

Summary: <dev-java/guava-32.1.2: insecure temporary directory creation

Status:	RESOLVED FIXED

Alias:	CVE-2023-2976

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:	PullRequest

Depends on:	913690
Blocks:
	Show dependency tree

Reported:	2023-06-15 05:09 UTC by John Helmert III
Modified:	2023-10-23 04:34 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2018-10237, CVE-2020-8908 https://github.com/gentoo/gentoo/pull/31449 https://github.com/gentoo/gentoo/pull/32645
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-06-15 05:09:11 UTC

CVE-2023-2976 (https://github.com/google/guava/issues/2575):

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

A patch is in 32.0.0 (and seems to indicate this is a continuation of
the issue in CVE-2020-8908):
https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284

Comment 1 Larry the Git Cow gentoo-dev

2023-09-05 07:43:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4de1eaacd9218695074c1a3ba6595e600f19e831

commit 4de1eaacd9218695074c1a3ba6595e600f19e831
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-06-15 09:00:09 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-09-05 07:40:17 +0000

    dev-java/guava: add 32.1.2
    
    Bug: https://bugs.gentoo.org/908513
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/guava/Manifest            |  1 +
 dev-java/guava/guava-32.1.2.ebuild | 39 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-09-06 07:58:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09087115a677da4fa4ff0295ffb521c2f0785be3

commit 09087115a677da4fa4ff0295ffb521c2f0785be3
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-09-06 07:31:03 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2023-09-06 07:58:32 +0000

    dev-java/guava: drop 31.1
    
    Bug: https://bugs.gentoo.org/908513
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/32645
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/guava/Manifest          |  1 -
 dev-java/guava/guava-31.1.ebuild | 52 ----------------------------------------
 2 files changed, 53 deletions(-)

Comment 3 Volkmar W. Pogatzki 2023-10-06 09:21:47 UTC

The tree is clean. Pls proceed.

Comment 4 John Helmert III archtester

2023-10-23 04:34:24 UTC

All done, thanks!