Summary: | dev-embedded/arduino-1.8.19: multiple bundled jars, some with vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Volkmar W. Pogatzki <gentoo> |
Component: | Current packages | Assignee: | Embedded Gentoo Team <embedded> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | esigra, security |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=830716 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 69972, 772929 |
Description
Volkmar W. Pogatzki
2022-05-27 15:21:09 UTC
vaukai, security@ would be very grateful if you could track down the vulnerabilities here (In reply to John Helmert III from comment #1) > vaukai, security@ would be very grateful if you could track down the > vulnerabilities here * /usr/share/arduino/lib/xmlgraphics-commons-2.0.jar CVE-2020-11988 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988) * /usr/share/arduino/lib/batik-*-1.8.jar CVE-2020-11987 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987) * /usr/share/arduino/lib/jackson-databind-2.9.5.jar Direct vulnerabilities: CVE-2021-20190 CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-36518 CVE-2020-36188 CVE-2020-36186 CVE-2020-36184 CVE-2020-36182 CVE-2020-36180 CVE-2020-35491 CVE-2020-25649 CVE-2020-24616 CVE-2020-14062 CVE-2020-14060 CVE-2020-11619 CVE-2020-11112 CVE-2020-10969 CVE-2020-10673 CVE-2020-10650 CVE-2019-17531 CVE-2019-16943 CVE-2019-16335 CVE-2019-14892 CVE-2019-14439 CVE-2019-12814 CVE-2019-12086 CVE-2018-19361 CVE-2018-14721 CVE-2018-14719 CVE-2018-12023 CVE-2018-11307 (https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.5) * /usr/share/arduino/lib/bcprov-jdk15on-152.jar CVE-2020-15522 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522) Actually, according to matthews on irc, there shouldn't be any security impact here. The package having so many vulnerable jar's is problematic, but not from a security perspective as it is not a problem with the trust model of the package. |