Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 719144 (CVE-2019-5427)

Summary: <dev-java/c3p0-0.9.5.5: Denial of service ("billion laughs") by recursive XML expansion (CVE-2019-5427)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: fordfrog, java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/23793
Whiteboard: B3 [glsa? cve]
Package list:
Runtime testing required: ---
Bug Depends on: 831229    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-24 02:03:47 UTC
CVE-2019-5427 (https://nvd.nist.gov/vuln/detail/CVE-2019-5427):
  c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when
  loading XML configuration due to missing protections against recursive
  entity expansion when loading configuration.
Comment 1 Larry the Git Cow gentoo-dev 2022-01-15 09:28:36 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a412428273d4599a10dc6d15e926a35d61bf0bc3

commit a412428273d4599a10dc6d15e926a35d61bf0bc3
Author:     Yuan Liao <liaoyuan@gmail.com>
AuthorDate: 2022-01-13 22:46:12 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-01-15 09:28:33 +0000

    dev-java/c3p0: Add 0.9.5.5 with EAPI 8, updated HOMEPAGE and LICENSE
    
    Closes: https://bugs.gentoo.org/719144
    Bug: https://bugs.gentoo.org/830920
    Signed-off-by: Yuan Liao <liaoyuan@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/23793
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/c3p0/Manifest            |  1 +
 dev-java/c3p0/c3p0-0.9.5.5.ebuild | 57 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
Comment 2 Miroslav Šulc gentoo-dev 2022-01-15 09:30:01 UTC
reverting back to confirmed
Comment 3 Larry the Git Cow gentoo-dev 2022-01-18 18:37:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e0cece5233dfea8da2e61d0db9d96456af2e0c2

commit 8e0cece5233dfea8da2e61d0db9d96456af2e0c2
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-01-18 18:37:03 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-01-18 18:37:03 +0000

    dev-java/c3p0: removed obsolete and vulnerable 0.9.5.1
    
    Bug: https://bugs.gentoo.org/719144
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/c3p0/Manifest            |  1 -
 dev-java/c3p0/c3p0-0.9.5.1.ebuild | 59 ---------------------------------------
 2 files changed, 60 deletions(-)
Comment 4 Miroslav Šulc gentoo-dev 2022-01-18 18:37:43 UTC
the tree is clean now, you can proceed.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-18 20:00:24 UTC
Thank you!