Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476958 (CVE-2013-1571) - <dev-java/ant-1.9.2: JavaDoc Spoofing Vulnerability (CVE-2013-1571)
Summary: <dev-java/ant-1.9.2: JavaDoc Spoofing Vulnerability (CVE-2013-1571)
Status: RESOLVED FIXED
Alias: CVE-2013-1571
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54067/
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 475846
Blocks:
  Show dependency tree
 
Reported: 2013-07-15 18:38 UTC by Agostino Sarubbo
Modified: 2014-06-29 16:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-15 18:38:28 UTC
From ${URL} :

Description

Apache has acknowledged a vulnerability in Apache Ant, which can be exploited by malicious people 
to conduct spoofing attacks.

The vulnerability is caused due to the application using a vulnerable version of the JavaDoc tool 
to generate documentation.

For more information see vulnerability #38 in:
SA53846

The vulnerability is reported in versions prior to 1.9.2.


Solution:
Update to version 1.9.2.

Original Advisory:
http://www.apache.org/dist/ant/RELEASE-NOTES-1.9.2.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=55132




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 03:12:30 UTC
Ping, needs a bump.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:12:46 UTC
CVE-2013-1571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571):
  Unspecified vulnerability in the Javadoc component in Oracle Java SE 7
  Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and
  earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to
  affect integrity via unknown vectors related to Javadoc. NOTE: the previous
  information is from the June 2013 CPU. Oracle has not commented on claims
  from another vendor that this issue is related to frame injection in HTML
  that is generated by Javadoc.
Comment 3 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-08-28 22:26:36 UTC
+  28 Aug 2013; Tom Wijsman <TomWij@gentoo.org> ant-tasks.eclass:
+  Made ant-tasks.eclass support newer versions of the 1.9 branch.

+  28 Aug 2013; Tom Wijsman <TomWij@gentoo.org> +ant*-1.9.2.ebuild:
+  Version bump to 1.9.2. Fixes security bug #476958.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-28 22:43:17 UTC
@java team: are we good to stabilize? and do we need any dependencies, or is stabilizing dev-java/ant* sufficient?
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-30 22:50:49 UTC
@java: ping
Comment 6 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-10-17 17:59:15 UTC
Thanks for the ping, I guess I thought about delaying it for a few days back then; but since we're more than a month later the testing is more than sufficient. Since I have used this every day and it works, please go ahead.

Target keywords for ~dev-java/ant-1.9.2: amd64 ppc x86

Dependency stabilization list:

	~dev-java/ant-antlr-1.9.2
	~dev-java/ant-apache-bcel-1.9.2
	~dev-java/ant-apache-bsf-1.9.2
	~dev-java/ant-apache-log4j-1.9.2
	~dev-java/ant-apache-oro-1.9.2
	~dev-java/ant-apache-regexp-1.9.2
	~dev-java/ant-apache-resolver-1.9.2
	~dev-java/ant-apache-xalan2-1.9.2
	~dev-java/ant-commons-logging-1.9.2
	~dev-java/ant-commons-net-1.9.2
	~dev-java/ant-core-1.9.2
	~dev-java/ant-jai-1.9.2
	~dev-java/ant-javamail-1.9.2
	~dev-java/ant-jdepend-1.9.2
	~dev-java/ant-jmf-1.9.2
	~dev-java/ant-jsch-1.9.2
	~dev-java/ant-junit-1.9.2
	~dev-java/ant-nodeps-1.9.2
	~dev-java/ant-swing-1.9.2
	~dev-java/ant-testutil-1.9.2
	~dev-java/ant-trax-1.9.2

For ppc64, it is unkeyworded, feel free to consider stabilization; bug #475846.

No big bugs that seem to block any of this...
Comment 7 Myckel Habets 2013-10-18 17:10:27 UTC
Stabilizing these packages/versions as well?

The following keyword changes are necessary to proceed:
 (see "package.accept_keywords" in the portage(5) man page for more details)
# required by dev-java/hamcrest-core-1.3
# required by dev-java/junit-4.11
# required by dev-java/ant-junit4-1.9.2
# required by dev-java/ant-testutil-1.9.2
# required by =dev-java/ant-testutil-1.9.2 (argument)
=dev-java/hamcrest-generator-1.3-r1 ~x86
# required by dev-java/junit-4.11
# required by dev-java/ant-junit4-1.9.2
# required by dev-java/ant-testutil-1.9.2
# required by =dev-java/ant-testutil-1.9.2 (argument)
=dev-java/hamcrest-core-1.3 ~x86
# required by dev-java/ant-testutil-1.9.2
# required by =dev-java/ant-testutil-1.9.2 (argument)
=dev-java/junit-4.11 ~x86
# required by dev-java/ant-testutil-1.9.2
# required by =dev-java/ant-testutil-1.9.2 (argument)
=dev-java/ant-junit4-1.9.2 ~x86
# required by dev-java/hamcrest-generator-1.3-r1
# required by dev-java/hamcrest-core-1.3
# required by dev-java/junit-4.11
# required by dev-java/ant-junit4-1.9.2
# required by dev-java/ant-testutil-1.9.2
# required by =dev-java/ant-testutil-1.9.2 (argument)
=dev-java/qdox-1.12-r1 ~x86
Comment 8 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-10-19 11:41:57 UTC
(In reply to Myckel Habets from comment #7)
> Stabilizing these packages/versions as well?
> 
> =dev-java/hamcrest-generator-1.3-r1
> =dev-java/hamcrest-core-1.3
> =dev-java/junit-4.11
> =dev-java/ant-junit4-1.9.2
> =dev-java/qdox-1.12-r1

Affirmative, go ahead.
Comment 9 Myckel Habets 2013-10-20 07:50:06 UTC
No problems encountered while arch testing all these packages on x86. Please mark stable for x86.
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-20 11:18:00 UTC
amd64 and x86 stable, thanks Myckel
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-20 15:22:48 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-20 16:46:43 UTC
ppc/ppc64 done
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:35:17 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 14 Sergey Popov gentoo-dev 2014-06-29 16:28:12 UTC
GLSA vote: No

Closing as noglsa