Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 859400

Summary: <dev-java/openjdk{,-jre-bin,-bin}-{8.345_p01,11.0.16.1_p1,17.0.4.1_p1}: remote code execution via bundled dev-java/bcel
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: graaff, gyakovlev, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2022/07/19/5
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 859394    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-19 19:31:09 UTC 
See tracker for (few) details, apparently xalan is bundled in openjdk, according to URL:

"Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-21 22:30:13 UTC 
https://openjdk.org/groups/vulnerability/advisories/2022-07-19

"These issues have been addressed, as applicable, in the following releases:
  7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2"
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 00:54:11 UTC 
The vulnerability is in bcel, seems like that's bundled here as well.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-10 05:06:22 UTC 
(In reply to John Helmert III from comment #1)
> https://openjdk.org/groups/vulnerability/advisories/2022-07-19
> 
> "These issues have been addressed, as applicable, in the following releases:
>   7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2"

Hm, to be clear, these are tracked in bug 859376, not here.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-17 13:45:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=192b729d81f588010b67c1e39e06aa02c513b126

commit 192b729d81f588010b67c1e39e06aa02c513b126
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-17 13:45:06 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-17 13:45:28 +0000

    [ GLSA 202401-25 ] OpenJDK: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/859376
    Bug: https://bugs.gentoo.org/859400
    Bug: https://bugs.gentoo.org/877597
    Bug: https://bugs.gentoo.org/891323
    Bug: https://bugs.gentoo.org/908243
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-25.xml | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)