Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831509

Summary: <app-backup/tsm-8.1.13.3: contains vulnerable log4j
Product: Gentoo Security Reporter: Andreas K. Hüttel <dilfridge>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 828837, 788115, 829189    

Description Andreas K. Hüttel archtester gentoo-dev 2022-01-19 21:45:01 UTC
I've been informed via an anonymous e-mail that current stable app-backup/tsm-8.1.6.0-r2 contains a vulnerable log4j.

A quick check indeed shows a bundled log4j-1.2.17.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2022-01-19 21:46:23 UTC
In 8.1.13.3 (just in preparation) log4j has been updated to 2.17.1
Comment 2 Larry the Git Cow gentoo-dev 2022-01-19 21:49:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11629c2e66238b3bf753201af27c3147e3ab5cc9

commit 11629c2e66238b3bf753201af27c3147e3ab5cc9
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-01-19 21:48:28 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-01-19 21:48:49 +0000

    app-backup/tsm: Version (and EAPI) bump
    
    Bug: https://bugs.gentoo.org/829189
    Bug: https://bugs.gentoo.org/788115
    Bug: https://bugs.gentoo.org/831509
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-backup/tsm/Manifest            |   1 +
 app-backup/tsm/tsm-8.1.13.3.ebuild | 244 +++++++++++++++++++++++++++++++++++++
 2 files changed, 245 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-19 23:49:20 UTC
What's the impact? How privileged does one have to be to exploit the bundled log4j?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-19 23:50:02 UTC
Also, thank you for bumping! Please stabilize if suitable (hopefully soon given the other issues).
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2022-01-22 18:38:56 UTC
(In reply to John Helmert III from comment #4)
> Also, thank you for bumping! Please stabilize if suitable (hopefully soon
> given the other issues).

I'll stabilize it myself as soon as I've tested it in real-world.
Comment 6 Larry the Git Cow gentoo-dev 2022-01-26 15:01:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19615ea1114f61342dcd610a4bedd9e9874b6c16

commit 19615ea1114f61342dcd610a4bedd9e9874b6c16
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-01-26 15:01:13 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-01-26 15:01:27 +0000

    app-backup/tsm: Remove old
    
    Bug: https://bugs.gentoo.org/831509
    Bug: https://bugs.gentoo.org/829189
    Bug: https://bugs.gentoo.org/788115
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-backup/tsm/Manifest              |   1 -
 app-backup/tsm/tsm-8.1.6.0-r2.ebuild | 243 -----------------------------------
 2 files changed, 244 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5279a8876e6339a00122fd648893ecfd6bfc9de4

commit 5279a8876e6339a00122fd648893ecfd6bfc9de4
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-01-26 15:00:36 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-01-26 15:01:24 +0000

    app-backup/tsm: stable 8.1.13.3 for amd64
    
    Bug: https://bugs.gentoo.org/831509
    Bug: https://bugs.gentoo.org/829189
    Bug: https://bugs.gentoo.org/788115
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-backup/tsm/tsm-8.1.13.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:13:56 UTC
We'll presume there's *some* way for anything that might be untrusted to be written by log4j here.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:19:49 UTC
GLSA request filed
Comment 9 Larry the Git Cow gentoo-dev 2022-09-07 03:01:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fe3e07b9e738d35142f3a5ca93fd91da657936e6

commit fe3e07b9e738d35142f3a5ca93fd91da657936e6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-07 02:52:10 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-07 02:58:06 +0000

    [ GLSA 202209-02 ] IBM Spectrum Protect: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/788115
    Bug: https://bugs.gentoo.org/829189
    Bug: https://bugs.gentoo.org/831509
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-02.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-07 03:18:44 UTC
GLSA released, all done!