Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 739352 (CVE-2018-17201, CVE-2018-17202)

Summary: <dev-java/commons-imaging-1.0_alpha2: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/23917
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 03:33:25 UTC 
* CVE-2018-17201

Description:
"Certain input files could make the code hang when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging."

URL: https://lists.apache.org/thread.html/cd37861963aa6d2694c8947d464c99614d3e1a9db6c1a2a8b7b5840a@%3Cdev.commons.apache.org%3E

* CVE-2018-17202

Description:
"Certain input files could make the code to enter into an infinite loop when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging."

URL: https://lists.apache.org/thread.html/69204376d12205b0d2d90e6fcbeebb99b894e6db88c8ff565c4e1efa@%3Cdev.commons.apache.org%3E
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 03:34:16 UTC 
Please bump to 1.0-alpha1 or newer (alpha2 is latest at time of writing).
Comment 2 Larry the Git Cow gentoo-dev 2022-01-23 09:40:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b85f0b6e93f0992b51ca729c1ff0494516104ae3

commit b85f0b6e93f0992b51ca729c1ff0494516104ae3
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-01-22 19:17:22 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-01-23 09:40:28 +0000

    dev-java/commons-imaging: bump to 1.0_alpha2
    
    Bug: https://bugs.gentoo.org/739352
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/commons-imaging/Manifest                  |  1 +
 .../commons-imaging-1.0_alpha2.ebuild              | 41 ++++++++++++++++++++++
 2 files changed, 42 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-23 18:36:51 UTC 
Thanks! All done.