Bug 760111 (CVE-2018-10237, CVE-2020-8908)

Summary:	<dev-java/guava-30.1.1: Multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	java
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/21318 https://github.com/gentoo/gentoo/pull/25940 https://bugs.gentoo.org/show_bug.cgi?id=908513
Whiteboard:	B3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	809974, 831439, 833309, 833758
Bug Blocks:

Description Sam James archtester

2020-12-16 06:24:58 UTC

* CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

* CVE-2020-8908

A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:25:08 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:33:40 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:41:33 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:49:42 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 18:05:37 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:13:56 UTC

Package list is empty or all packages have requested keywords.

Comment 7 Larry the Git Cow gentoo-dev

2022-01-19 02:36:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6f1ad5edce356930cecb857d94a4fd58c7e9ee

commit db6f1ad5edce356930cecb857d94a4fd58c7e9ee
Author:     Jeffrey Lin <jeffrey@icurse.nl>
AuthorDate: 2021-06-19 03:58:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-19 02:36:46 +0000

    dev-java/guava: add 30.1.1
    
    Going back to SLOT 0 as upstream claims "APIs without `@Beta` will
    remain binary-compatible for the indefinite future." [1]
    
    [1]: https://github.com/google/guava#important-warnings
    
    Bug: https://bugs.gentoo.org/760111
    Closes: https://bugs.gentoo.org/809974
    Signed-off-by: Jeffrey Lin <jeffrey@icurse.nl>
    Closes: https://github.com/gentoo/gentoo/pull/21318
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-java/guava/Manifest            |  1 +
 dev-java/guava/guava-30.1.1.ebuild | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

Comment 8 Larry the Git Cow gentoo-dev

2022-06-17 13:50:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33275e7369fbcc1bb980d6f5e81d3e91e450a614

commit 33275e7369fbcc1bb980d6f5e81d3e91e450a614
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-06-17 11:43:29 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2022-06-17 13:50:13 +0000

    dev-java/guava: drop 20.0, 20.0-r1
    
    Closes: https://bugs.gentoo.org/833309
    Closes: https://bugs.gentoo.org/657692
    Bug: https://bugs.gentoo.org/760111
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/25940
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-java/guava/Manifest             |  1 -
 dev-java/guava/guava-20.0-r1.ebuild | 36 ------------------------------------
 dev-java/guava/guava-20.0.ebuild    | 36 ------------------------------------
 3 files changed, 73 deletions(-)