Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 739348 (CVE-2017-15708)

Summary: <dev-java/commons-collections-3.2.2: Unsafe deserialisation (CVE-2017-15708)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fordfrog, java
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://commons.apache.org/proper/commons-collections/release_3_2_2.html
See Also: https://github.com/gentoo/gentoo/pull/20421
https://github.com/gentoo/gentoo/pull/20474
Whiteboard: B2 [glsa+ cve]
Package list:
dev-java/commons-collections-3.2.2
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 779490    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 03:19:13 UTC 
"This 3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for unsafe classes in the functor package is disabled and will result in an exception when either trying to serialize or de-serialize an instance of these classes. For more details, please refer to COLLECTIONS-580."

"Serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure."

Full change list: https://commons.apache.org/proper/commons-collections/changes-report.html#a3.2.2
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 03:19:39 UTC 
Note that 4.x isn't vulnerable, but <3.2.2 is, so we need to bump to 3.2.2 here *or* just cleanup 3.x if possible.
Comment 2 Larry the Git Cow gentoo-dev 2021-04-21 09:33:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e90a6173247f06514731825677f3fc67c62bdc52

commit e90a6173247f06514731825677f3fc67c62bdc52
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-21 09:31:11 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-21 09:33:09 +0000

    dev-java/commons-collections: bump to 3.2.2
    
    Bug: https://bugs.gentoo.org/739348
    Closes: https://bugs.gentoo.org/784131
    Closes: https://bugs.gentoo.org/780153
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-collections/Manifest              |   1 +
 .../commons-collections-3.2.2.ebuild               |  67 +++++++
 .../files/commons-collections-3.2.2-fixes.patch    | 201 +++++++++++++++++++++
 3 files changed, 269 insertions(+)
Comment 3 Miroslav Šulc gentoo-dev 2021-04-21 09:36:02 UTC 
it should be safe to stabilize
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-21 12:35:45 UTC 
Thanks!
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-21 18:51:52 UTC 
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 12:14:09 UTC 
ppc64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 19:09:42 UTC 
x86 done

all arches done
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 23:43:19 UTC 
Please cleanup
Comment 9 Larry the Git Cow gentoo-dev 2021-04-27 05:36:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a

commit c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-27 05:36:49 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-27 05:36:49 +0000

    dev-java/commons-collections: removed obsolete and vulnerable 3.2.1-r1
    
    Bug: https://bugs.gentoo.org/739348
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/commons-collections/Manifest              |   1 -
 .../commons-collections-3.2.1-r1.ebuild            |  74 ----------
 .../files/commons-collections-3.2.1-Java-8.patch   | 160 ---------------------
 dev-java/commons-collections/metadata.xml          |   3 -
 4 files changed, 238 deletions(-)
Comment 10 Miroslav Šulc gentoo-dev 2021-04-27 05:37:19 UTC 
the tree is clean now, you can proceed.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-14 23:32:42 UTC 
GLSA request filed.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-14 23:34:47 UTC 
GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-07-16 04:14:36 UTC 
This issue was resolved and addressed in
 GLSA 202107-37 at https://security.gentoo.org/glsa/202107-37
by GLSA coordinator John Helmert III (ajak).