| Summary: | dev-java/groovy: remote execution of untrusted code in class MethodClosure (CVE-2016-6814) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | normal | CC: | java, monsieurp, openhs, slawomir.nizio, via-gentoo | ||||
| Priority: | Normal | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://groovy-lang.org/security.html | ||||||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=555470 | ||||||
| Whiteboard: | B2 [glsa+ cve] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
|
Description
Thomas Deutschmann (RETIRED)
2017-01-14 14:32:26 UTC
@ Maintainer(s): Please bump to >=dev-java/groovy-2.4.8! @maintainer(s): ping Please bump to latest stable version 2.4.14 (https://github.com/apache/groovy/releases/tag/GROOVY_2_4_14) which contains the fix. Demetris Nakos -- Gentoo Security Padawan -- @ Maintainer(s): Is a Bump possible? We meanwhile have version 2.5.5. Thanks! i have looked at the bump but it's not trivial. any help from someone who uses groovy and could update the ebuild to the latest version would be appreciated. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76dc9d72ea85ea427b36c5224130fb5063e9579f commit 76dc9d72ea85ea427b36c5224130fb5063e9579f Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-14 19:49:23 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-14 19:49:23 +0000 profiles/package.mask: mask dev-java/groovy * 1 rdep Bug: https://bugs.gentoo.org/605690 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) Groovy is optional for Freemind. Since the security problem is only in Groovy, can we remove Groovy support from Freemind, instead of completely removing Freemind? Created attachment 586822 [details]
freemind-1.0.1-r4.ebuild
freemind ebuild with groovy support removed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6453206e0e5250ffcdf275d4697282169dcf99d4 commit 6453206e0e5250ffcdf275d4697282169dcf99d4 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:22:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:25:56 +0000 dev-java/groovy: Remove last-rited pkg Bug: https://bugs.gentoo.org/605690 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/groovy/Manifest | 1 - .../groovy/files/groovy-2.4.5-utils.gradle.patch | 116 ------------------ dev-java/groovy/groovy-2.4.5.ebuild | 135 --------------------- dev-java/groovy/metadata.xml | 14 --- profiles/package.mask | 5 - 5 files changed, 271 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38bfb985b1a420f4de6fff9fc0afa398bf7b830e commit 38bfb985b1a420f4de6fff9fc0afa398bf7b830e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:20:13 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:25:55 +0000 app-misc/freemind: Remove last-rited pkg Bug: https://bugs.gentoo.org/605690 Signed-off-by: Michał Górny <mgorny@gentoo.org> app-misc/freemind/Manifest | 1 - app-misc/freemind/freemind-1.0.1-r3.ebuild | 121 ----------------------------- app-misc/freemind/metadata.xml | 17 ---- profiles/package.mask | 1 - 4 files changed, 140 deletions(-) Is there a particular reason why the contributed solution from comment #7 was not used for freemind but it was removed instead? This issue was resolved and addressed in GLSA 202003-01 at https://security.gentoo.org/glsa/202003-01 by GLSA coordinator Thomas Deutschmann (whissi). (In reply to Róbert Čerňanský from comment #9) > Is there a particular reason why the contributed solution from comment #7 > was not used for freemind but it was removed instead? It's an interesting question. |