Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 497652 (CVE-2013-7285) - <dev-java/xstream-1.4.8-r1: Remote code execution (CVE-2013-7285)
Summary: <dev-java/xstream-1.4.8-r1: Remote code execution (CVE-2013-7285)
Alias: CVE-2013-7285
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on: 547912
Blocks: 564616
  Show dependency tree
Reported: 2014-01-10 00:15 UTC by Samuel Damashek (RETIRED)
Modified: 2016-12-13 06:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Damashek (RETIRED) gentoo-dev 2014-01-10 00:15:50 UTC
Malicious XML, when deserialized using XStream, can execute arbitrary code because the program runs the XML code specified without first verifying the type.
Comment 2 Joerg Schaible 2015-03-06 22:50:36 UTC
xstream 1.4.7 and 1.4.8 contains the fix
Comment 3 Patrice Clement gentoo-dev 2015-10-31 17:37:33 UTC
commit 9b1f3f6 (HEAD, master)
Author: Patrice Clement <>
Date:   Sat Oct 31 17:31:57 2015 +0000

    dev-java/xstream: Version bump. Fixes security bug 497652.
    Package-Manager: portage-
    Signed-off-by: Patrice Clement <>

 create mode 100644 dev-java/xstream/xstream-1.4.8.ebuild

I needed it to bump groovy to its lastest iteration.

Arch teams

Please stabilise:

Target arches:
amd64 ppc ppc64 x86

Thank you!
Comment 4 Patrice Clement gentoo-dev 2015-11-01 13:35:57 UTC
There was a bug with xstream-1.4.8: this package does need Java 8, meaning at least a {jdk,jre} version >= 1.8.

As a result, please stabilise:

Target arches:
amd64 x86 (we don't support Java 8 on ppc+ppc64.. yet).

Thank you.
Comment 5 Patrice Clement gentoo-dev 2015-11-04 10:39:23 UTC
This will have to wait until virtual/{jre,jdk}-1.8 is marked stable. James is working at it. Please bear with us.
Comment 6 Agostino Sarubbo gentoo-dev 2015-11-04 10:44:12 UTC
CC back arches when 547912 is resolved.
Comment 7 James Le Cuirot gentoo-dev 2016-05-17 21:51:14 UTC
Java 8 is stable now. Go forth, monsieurp!
Comment 8 Agostino Sarubbo gentoo-dev 2016-05-19 07:41:21 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-05-19 07:42:35 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Patrice Clement gentoo-dev 2016-05-19 23:56:13 UTC
commit 144dad3f486dbd6189724db13c28566110aaa482 (HEAD -> master)
Author:     Patrice Clement <>
AuthorDate: Thu May 19 21:54:00 2016 +0100
Commit:     Patrice Clement <>
CommitDate: Thu May 19 23:27:26 2016 +0000

    dev-java/xstream: Remove vulnerable version. Fixes bug 497652.
    Package-Manager: portage-2.2.28

 dev-java/xstream/Manifest                |  1 -
 dev-java/xstream/xstream-1.3.1-r4.ebuild | 62 --------------------------------------------------------------
 2 files changed, 63 deletions(-)
 delete mode 100644 dev-java/xstream/xstream-1.3.1-r4.ebuild
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 21:30:58 UTC
New GLSA created.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:48:56 UTC
This issue was resolved and addressed in
 GLSA 201612-35 at
by GLSA coordinator Aaron Bauman (b-man).