Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 775248 (CVE-2020-13936)

Summary: <dev-java/velocity-2.3: multiple vulnerabilities (CVE-2020-13936)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: fordfrog, java
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/20429
Whiteboard: B2 [glsa?]
Package list:
dev-java/velocity-2.3
Runtime testing required: ---
Bug Depends on: 736962, 785772    
Bug Blocks:    
Attachments:
Description Flags
velocity-2.3.ebuild none

Description John Helmert III gentoo-dev Security 2021-03-10 13:21:40 UTC
CVE-2020-13936 (https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E):

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

CVE-2020-13959 (https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E):

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.


Please bump to 3.1.
Comment 1 Volkmar W. Pogatzki 2021-04-05 16:53:08 UTC
Created attachment 697773 [details]
velocity-2.3.ebuild

(In reply to John Helmert III from comment #0)
> CVE-2020-13936
> [...]
> allow untrusted users to upload/modify velocity templates running Apache
> Velocity Engine versions up to 2.2.
> 
Upgrading to velocity-engine-2.3 needs
* commons-io-2.8.0
* hsqldb-2.5.1
(See attached velocity-2.3.ebuild)
Comment 2 Larry the Git Cow gentoo-dev 2021-04-25 15:23:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71aa218c86852f9b6b3891ae33bb93445053dc8d

commit 71aa218c86852f9b6b3891ae33bb93445053dc8d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-04-17 20:23:16 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-25 15:23:46 +0000

    dev-java/velocity: bump to 2.3
    
    Bug: https://bugs.gentoo.org/775248
    
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/20429
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/velocity/Manifest            |   1 +
 dev-java/velocity/velocity-2.3.ebuild | 144 ++++++++++++++++++++++++++++++++++
 2 files changed, 145 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2021-04-25 23:55:35 UTC
Now that I look closer I see CVE-2020-13959 doesn't apply to dev-java/velocity, so thank you for the bump and please stabilize when ready!
Comment 4 NATTkA bot gentoo-dev 2021-04-26 00:00:28 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-04-26 05:16:29 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-04-26 05:20:27 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-04-26 19:08:33 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-04-26 19:12:39 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-04-27 18:12:38 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-04-27 18:24:32 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-05-17 08:40:25 UTC Comment hidden (obsolete)
Comment 12 Sam James archtester gentoo-dev Security 2021-05-18 17:24:11 UTC
amd64 done
Comment 13 Sam James archtester gentoo-dev Security 2021-05-18 17:24:43 UTC
x86 done

all arches done
Comment 14 Larry the Git Cow gentoo-dev 2021-05-18 18:04:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c78da96b1afc9c1374508c38bd32514273d1e8d

commit 2c78da96b1afc9c1374508c38bd32514273d1e8d
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-05-18 18:03:45 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-05-18 18:03:45 +0000

    dev-java/velocity: removed obsolete and vulnerable 1.7-r2
    
    Bug: https://bugs.gentoo.org/775248
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/velocity/Manifest               |  1 -
 dev-java/velocity/velocity-1.7-r2.ebuild | 67 --------------------------------
 2 files changed, 68 deletions(-)
Comment 15 Miroslav Šulc gentoo-dev 2021-05-18 18:04:33 UTC
the tree is clean now, you can proceed.
Comment 16 John Helmert III gentoo-dev Security 2021-05-18 23:50:09 UTC
Thank you!