Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 908513 (CVE-2023-2976)

Summary: <dev-java/guava-32.1.2: insecure temporary directory creation
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=760111
https://github.com/gentoo/gentoo/pull/31449
https://github.com/gentoo/gentoo/pull/32645
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 913690    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-15 05:09:11 UTC 
CVE-2023-2976 (https://github.com/google/guava/issues/2575):

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

A patch is in 32.0.0 (and seems to indicate this is a continuation of
the issue in CVE-2020-8908):
https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
Comment 1 Larry the Git Cow gentoo-dev 2023-09-05 07:43:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4de1eaacd9218695074c1a3ba6595e600f19e831

commit 4de1eaacd9218695074c1a3ba6595e600f19e831
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-06-15 09:00:09 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-09-05 07:40:17 +0000

    dev-java/guava: add 32.1.2
    
    Bug: https://bugs.gentoo.org/908513
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/guava/Manifest            |  1 +
 dev-java/guava/guava-32.1.2.ebuild | 39 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-09-06 07:58:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09087115a677da4fa4ff0295ffb521c2f0785be3

commit 09087115a677da4fa4ff0295ffb521c2f0785be3
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-09-06 07:31:03 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2023-09-06 07:58:32 +0000

    dev-java/guava: drop 31.1
    
    Bug: https://bugs.gentoo.org/908513
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/32645
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/guava/Manifest          |  1 -
 dev-java/guava/guava-31.1.ebuild | 52 ----------------------------------------
 2 files changed, 53 deletions(-)
Comment 3 Volkmar W. Pogatzki 2023-10-06 09:21:47 UTC 
The tree is clean. Pls proceed.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-23 04:34:24 UTC 
All done, thanks!