Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534498 - <dev-java/commons-beanutils-1.9.2: Security bypass in ClassLoader (CVE-2014-0114)
Summary: <dev-java/commons-beanutils-1.9.2: Security bypass in ClassLoader (CVE-2014-0...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-03 19:09 UTC by GLSAMaker/CVETool Bot
Modified: 2016-07-20 08:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 19:09:03 UTC 
CVE-2014-0114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0114):
  Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
  in Apache Struts 1.x through 1.3.10 and in other products requiring
  commons-beanutils through 1.9.2, does not suppress the class property, which
  allows remote attackers to "manipulate" the ClassLoader and execute
  arbitrary code via the class parameter, as demonstrated by the passing of
  this parameter to the getClass method of the ActionForm object in Struts 1.
Comment 1 Patrice Clement gentoo-dev 2015-08-21 09:41:42 UTC 
* commit df0dbde (HEAD, master)
| Author: Patrice Clement <monsieurp@gentoo.org>
| Date:   Fri Aug 21 10:40:02 2015 +0000
|
|     dev-java/commons-beanutils: Version bump. Fixes security bug 534498.
|
|     Package-Manager: portage-2.2.18
|     Signed-off-by: Patrice Clement <monsieurp@gentoo.org>
|
|  create mode 100644 dev-java/commons-beanutils/commons-beanutils-1.9.2.ebuild

Arch teams,

Please stabilise:
=dev-java/common-beanutils-1.9.2

Target arches:
amd64 ppc ppc64 x86

Thanks.
Comment 2 Agostino Sarubbo gentoo-dev 2015-08-25 06:53:58 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-08-25 06:54:22 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-08-26 07:30:56 UTC 
ppc stable
Comment 5 Patrice Clement gentoo-dev 2015-09-03 13:33:51 UTC 
* commit 0c2e619
| Author: Patrice Clement <monsieurp@gentoo.org>
| Date:   Thu Sep 3 06:18:32 2015 -0700
|
|     dev-java/commons-beanutils: Stable for ppc64. Fixes security bug 534498.
|
|     Package-Manager: portage-2.2.20.1
|
|
Comment 6 Patrice Clement gentoo-dev 2015-09-03 13:34:20 UTC 
commit 15cc32e (HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Thu Sep 3 06:20:17 2015 -0700

    dev-java/commons-beanutils: Remove vunerable versions. Fixes security bug 534498.

    Package-Manager: portage-2.2.20.1

 delete mode 100644 dev-java/commons-beanutils/commons-beanutils-1.8.0.ebuild
 delete mode 100644 dev-java/commons-beanutils/commons-beanutils-1.8.3.ebuild

Security,

Please vote.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-05 19:30:36 UTC 
glsa request is filed
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 08:52:26 UTC 
This issue was resolved and addressed in
 GLSA 201607-09 at https://security.gentoo.org/glsa/201607-09
by GLSA coordinator Aaron Bauman (b-man).