From ${URL} : It was found that the Xalan-Java secure processing feature imposes insufficient constraints: * Java properties, bound to XSLT 1.0 system-property(), are accessible. * Output properties that allow to load arbitrary classes or resources are allowed. * Arbitrary code can be executed if the Bean Scripting Framework (BSF) is in the classpath, as it allows to spawn available JARs with secure processing disabled, effectively bypassing the intended protection. A remote attacker who is able to provide XSL that will be processed by Xalan-Java could use this flaw to bypass the constraints of the secure processing feature. Depending on the components available on the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream bug: https://issues.apache.org/jira/browse/XALANJ-2435 Upstream patch commit: http://svn.apache.org/viewvc?view=revision&revision=1581058 External References: http://www.ocert.org/advisories/ocert-2014-002.html
CVE-2014-0107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0107): The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Note as per upstream this has been Fixed in 2.7.2 Also has been pushed to: https://svn.apache.org/repos/asf/xalan/java/branches/xalan-j_2_7_1_maint Maintainer(s): after the bump please let us know when the ebuild is ready for stabilization.
dev-java/xalan-serializer and dev-java/xalan now bumped. Removal may have to wait till I drop ia64. This is next on my list but I'm about to leave for a week.
I have marked these stable according to ALLARCHES policy and dropped the old versions. Security team, please proceed.
ping @security. Please proceed and close this bug if there's no outstanding item left.
GLSA Assigned: 322528253
This issue was resolved and addressed in GLSA 201604-02 at https://security.gentoo.org/glsa/201604-02 by GLSA coordinator Yury German (BlueKnight).
