912248 – (CVE-2023-33201) <dev-java/bcprov-1.74: LDAP injection vulnerability

Bug 912248 (CVE-2023-33201) - <dev-java/bcprov-1.74: LDAP injection vulnerability

Summary: <dev-java/bcprov-1.74: LDAP injection vulnerability

Status:	IN_PROGRESS

Alias:	CVE-2023-33201

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa?]
Keywords:	PullRequest

Depends on:	915968
Blocks:
	Show dependency tree

Reported:	2023-08-14 06:01 UTC by Volkmar W. Pogatzki
Modified:	2023-10-28 08:39 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/32309 https://github.com/gentoo/gentoo/pull/33540
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkmar W. Pogatzki 2023-08-14 06:01:55 UTC

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Comment 1 Larry the Git Cow gentoo-dev

2023-09-19 14:10:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=901da761770cc5e16a9303ddcb0722f5b3654773

commit 901da761770cc5e16a9303ddcb0722f5b3654773
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-08-15 05:41:31 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-09-19 14:10:22 +0000

    dev-java/bcprov: add 1.74
    
    Special slot for consumers using deprecated methods which were removed
    in version 1.75.
    
    Bug: https://bugs.gentoo.org/912248
    Bug: https://bugs.gentoo.org/912247
    Closes: https://bugs.gentoo.org/797634
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/bcprov/Manifest           |   2 +
 dev-java/bcprov/bcprov-1.74.ebuild | 106 +++++++++++++++++++++++++++++++++++++
 dev-java/bcprov/metadata.xml       |   3 ++
 3 files changed, 111 insertions(+)

Comment 2 John Helmert III archtester

2023-10-22 23:42:32 UTC

1.74 is stabilized, please cleanup.

Comment 3 Volkmar W. Pogatzki 2023-10-23 07:27:58 UTC

(In reply to John Helmert III from comment #2)
> 1.74 is stabilized, please cleanup.

Cannot cleanup before stabilization.
Still waiting for ppc64 on dev-java/{{bcmail,bcpg,bcpkix,bcprov,bcutil}-1.76

Comment 4 John Helmert III archtester

2023-10-25 17:53:25 UTC

Sorry! Saw that there had been stabilizations for the bug, missed that the bug wasn't finished..

Comment 5 Larry the Git Cow gentoo-dev

2023-10-28 08:23:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599a8052ce9db297c031c0b2f9e90b58b558878

commit 6599a8052ce9db297c031c0b2f9e90b58b558878
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-10-27 10:37:03 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-10-28 08:22:58 +0000

    dev-java/bcprov: drop 1.72
    
    Bug: https://bugs.gentoo.org/912248
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/bcprov/Manifest           |  3 +-
 dev-java/bcprov/bcprov-1.72.ebuild | 99 --------------------------------------
 2 files changed, 1 insertion(+), 101 deletions(-)