Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831979 (CVE-2022-23437)

Summary: <dev-java/xerces-2.12.2: infinite loop vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fordfrog, java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2022/01/24/3
See Also: https://github.com/gentoo/gentoo/pull/24054
https://github.com/gentoo/gentoo/pull/24424
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 834614    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-24 15:06:51 UTC 
From URL:

"There's a vulnerability within the Apache Xerces Java (XercesJ) XML
parser when handling specially crafted XML document payloads. This
causes, the XercesJ XML parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1 and the
previous versions.

Mitigation:

Apache XercesJ users, should migrate to version 2.12.2"

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2022-02-03 12:00:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=743111a72f39a1b24f87bd1b2fc32ef707b41407

commit 743111a72f39a1b24f87bd1b2fc32ef707b41407
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-02-02 17:30:03 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-02-03 12:00:09 +0000

    dev-java/xerces: Bump to 2.12.2
    
    Closes: https://bugs.gentoo.org/831155
    Bug: https://bugs.gentoo.org/831979
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/xerces/Manifest             |  1 +
 dev-java/xerces/metadata.xml         | 11 ++++---
 dev-java/xerces/xerces-2.12.2.ebuild | 57 ++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 4 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2022-02-03 12:06:06 UTC 
thanks vaukai for the bump. let's give it a few days before we start the stabilization process as we don't have tests for this package.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-04 00:26:26 UTC 
No worries, thanks!
Comment 4 Larry the Git Cow gentoo-dev 2022-03-06 17:07:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=610e8e15e38b5c213227f1dabdcddfdf60e66095

commit 610e8e15e38b5c213227f1dabdcddfdf60e66095
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-03-06 16:29:41 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-03-06 17:07:45 +0000

    dev-java/xerces: Drop 2.12.0-r1
    
    Closes: https://bugs.gentoo.org/831155
    Bug: https://bugs.gentoo.org/831979
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/24424
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/xerces/Manifest                |  1 -
 dev-java/xerces/xerces-2.12.0-r1.ebuild | 55 ---------------------------------
 2 files changed, 56 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 18:15:35 UTC 
Thanks! Minimal impact so no GLSA. All done!