Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 575482 (CVE-2016-2510) - <dev-java/bsh-2.0_beta6: remote code execution via deserialization
Summary: <dev-java/bsh-2.0_beta6: remote code execution via deserialization
Status: RESOLVED FIXED
Alias: CVE-2016-2510
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: 576846
  Show dependency tree
 
Reported: 2016-02-23 15:08 UTC by Agostino Sarubbo
Modified: 2016-07-30 00:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-23 15:08:20 UTC
From ${URL} :

An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source.

A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.

External references:

https://github.com/beanshell/beanshell/releases/tag/2.0b6

Upstream patches:

https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49

https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2016-02-23 17:38:30 UTC
commit 9c796dcc0d36ed7a9795f7b154fe6ab4964a8529 (HEAD -> master, origin/master, origin/HEAD)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Tue Feb 23 16:29:55 2016 +0000

    dev-java/bsh: Version bump. Fixes security bug 575482.
    
    Whilst at it, this commit also bumps the ebuild to EAPI version 5.
    
    Package-Manager: portage-2.2.26
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 dev-java/bsh/Manifest                |  1 +
 dev-java/bsh/bsh-2.0_beta4-r4.ebuild |  2 +-
 dev-java/bsh/bsh-2.0_beta6.ebuild    | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 dev-java/bsh/bsh-2.0_beta6.ebuild

Arch teams,

Please stabilise:
dev-java/bsh/bsh-2.0_beta6

Target arches:
amd64 ppc64 x86

Thank you.
Comment 2 Agostino Sarubbo gentoo-dev 2016-03-02 13:59:34 UTC
amd64 stable
Comment 3 Patrice Clement gentoo-dev 2016-03-15 10:05:06 UTC
commit 1e540757694cacf45317bdd687d3c33d96827194 (HEAD -> master)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Tue Mar 15 09:49:45 2016 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Tue Mar 15 09:49:45 2016 +0000

    dev-java/bsh: Stable for ppc64+x86. Fixes security bug 575482.
    
    As per IRC discussion with Agostino.
    
    Package-Manager: portage-2.2.26

 dev-java/bsh/bsh-2.0_beta6.ebuild | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
Comment 4 Patrice Clement gentoo-dev 2016-03-15 10:07:17 UTC
commit 666ad6d66632323fa4444badf35988038aaf01fa (HEAD -> master)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Tue Mar 15 09:52:51 2016 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Tue Mar 15 09:53:18 2016 +0000

    dev-java/bsh: Clean up vulnerable version. Fixes security bug 575482.
    
    Package-Manager: portage-2.2.26

 dev-java/bsh/Manifest                   |   2 --
 dev-java/bsh/bsh-2.0_beta4-r4.ebuild    |  68 ---------------------------------------------------------
 dev-java/bsh/files/bsh2-readline.patch  | 151 ------------------------------------------------------------------------------------------------------------------------------
 dev-java/bsh/files/bsh2.0b4-build.patch |  53 --------------------------------------------
 4 files changed, 274 deletions(-)
 delete mode 100644 dev-java/bsh/bsh-2.0_beta4-r4.ebuild
 delete mode 100644 dev-java/bsh/files/bsh2-readline.patch
 delete mode 100644 dev-java/bsh/files/bsh2.0b4-build.patch

Security team, please vote.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-15 10:56:55 UTC
GLSA request opened.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-07-30 00:55:20 UTC
This issue was resolved and addressed in
 GLSA 201607-17 at https://security.gentoo.org/glsa/201607-17
by GLSA coordinator Aaron Bauman (b-man).