Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877577 (CVE-2022-42889)

Summary: <dev-java/commons-text-1.10.0: arbitrary code execution via StringLookup interpolation
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
See Also: https://github.com/gentoo/gentoo/pull/27802
https://github.com/gentoo/gentoo/pull/27941
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 877763    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-18 20:40:26 UTC 
CVE-2022-42889 (http://www.openwall.com/lists/oss-security/2022/10/13/4):

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Please bump to 1.10.0.
Comment 1 Larry the Git Cow gentoo-dev 2022-10-20 11:26:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5a83e6b764ed915e5b2dbacdf6b2cbb7c9b6bdd

commit a5a83e6b764ed915e5b2dbacdf6b2cbb7c9b6bdd
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-10-16 08:12:52 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-10-20 11:18:21 +0000

    dev-java/commons-text: add 1.10.0 (CVE-2022-42889)
    
    Bug: https://bugs.gentoo.org/877577
    
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/27802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/commons-text/Manifest                   |  1 +
 dev-java/commons-text/commons-text-1.10.0.ebuild | 59 ++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-20 15:38:51 UTC 
Thanks! Please stabilize when ready.
Comment 3 Larry the Git Cow gentoo-dev 2022-10-25 21:55:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07e28cb7773bf8a1766227b964661533012765f8

commit 07e28cb7773bf8a1766227b964661533012765f8
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-10-25 13:18:40 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-25 21:55:41 +0000

    dev-java/commons-text: drop 1.9
    
    Bug: https://bugs.gentoo.org/877577
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/27941
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-java/commons-text/Manifest                |  1 -
 dev-java/commons-text/commons-text-1.9.ebuild | 43 ---------------------------
 2 files changed, 44 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:56:02 UTC 
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-01-11 05:22:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=45e0bd72744551e71baa23cf23de456d4dd49331

commit 45e0bd72744551e71baa23cf23de456d4dd49331
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:18:10 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:05 +0000

    [ GLSA 202301-05 ] Apache Commons Text: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/877577
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-11 05:25:36 UTC 
GLSA released, all done!