Summary: | [Tracker] Remote code execution in dev-java/bcel | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | Keywords: | PullRequest |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/32668 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 880447, 859397, 859400 | ||
Bug Blocks: |
Description
John Helmert III
2022-07-19 19:26:31 UTC
https://www.openwall.com/lists/oss-security/2022/10/18/2 "it appears the underlying bug is in Apache Commons bcel and not in Apache Xalan itself. See https://bugs.debian.org/1015860" So I guess some of the dependencies here are invalid. I guess Apache wants to keep the duplicates. (In reply to John Helmert III from comment #2) > I guess Apache wants to keep the duplicates. Actually, they responded to my mail and will handle marking the duplicate as such \o/ The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3cc2f17cd66be72f77a9335d4e2588325a8d7367 commit 3cc2f17cd66be72f77a9335d4e2588325a8d7367 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-09-06 22:59:28 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-09-19 11:04:48 +0000 dev-java/xalan: add 2.7.3 - CVE-2022-34169 Bug: https://bugs.gentoo.org/859394 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/32668 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/xalan/Manifest | 2 ++ dev-java/xalan/xalan-2.7.3.ebuild | 45 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) (In reply to Larry the Git Cow from comment #4) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=3cc2f17cd66be72f77a9335d4e2588325a8d7367 > > commit 3cc2f17cd66be72f77a9335d4e2588325a8d7367 > Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> > AuthorDate: 2023-09-06 22:59:28 +0000 > Commit: Miroslav Šulc <fordfrog@gentoo.org> > CommitDate: 2023-09-19 11:04:48 +0000 > > dev-java/xalan: add 2.7.3 - CVE-2022-34169 > > Bug: https://bugs.gentoo.org/859394 > Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> > Closes: https://github.com/gentoo/gentoo/pull/32668 > Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> > > dev-java/xalan/Manifest | 2 ++ > dev-java/xalan/xalan-2.7.3.ebuild | 45 > +++++++++++++++++++++++++++++++++++++++ > 2 files changed, 47 insertions(+) We shouldn't be affected by this though, right? xalan depends on bcel, so shouldn't be using the vulnerable bundled bcel? (In reply to John Helmert III from comment #5) > (In reply to Larry the Git Cow from comment #4) > [...] > We shouldn't be affected by this though, right? xalan depends on bcel, so > shouldn't be using the vulnerable bundled bcel? Right. There is bcel-6.7.0.jar in xalan{,-serializer}'s lib directory but ::gentoo does not use it. |