Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605690 (CVE-2016-6814) - dev-java/groovy: remote execution of untrusted code in class MethodClosure (CVE-2016-6814)
Summary: dev-java/groovy: remote execution of untrusted code in class MethodClosure (C...
Status: RESOLVED FIXED
Alias: CVE-2016-6814
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://groovy-lang.org/security.html
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-14 14:32 UTC by Thomas Deutschmann
Modified: 2020-07-08 10:46 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
freemind-1.0.1-r4.ebuild (freemind-1.0.1-r4.ebuild,2.92 KB, text/plain)
2019-08-15 12:40 UTC, Soren Harward
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-14 14:32:26 UTC
Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

* Unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3
* Apache Groovy 2.4.4 to 2.4.7
* Fixed in version 2.4.8

Impact:

Remote execution of untrusted code, DoS

Description:

When an application with Groovy on classpath uses standard
Java serialization mechanisms, e.g. to communicate between servers
or to store local data, it is possible for an attacker to bake a special
serialized object that will execute code directly when deserialized.
All applications which rely on serialization and do not isolate the
code which deserializes objects are subject to this vulnerability.
This is similar to CVE-2015-3253 (bug 555470) but this exploit involves extra
wrapping of objects and catching of exceptions which are now safe
guarded against.

Mitigation:

Users of Groovy relying on (de)serialization with the affected versions
should apply one of the following mitigations:

* Isolate the code doing the (de)serialization
* Upgrade to Apache Groovy 2.4.8 or later
* Users of older versions of Groovy can apply the following patch to the
`MethodClosure` class
(`src/main/org/codehaus/groovy/runtime/MethodClosure.java`):

```
public class MethodClosure extends Closure {
+    private void readObject(java.io.ObjectInputStream stream) throws
IOException, ClassNotFoundException {
+        if (ALLOW_RESOLVE) {
+            stream.defaultReadObject();
+        }
+        throw new UnsupportedOperationException();
+    }
```

Credit:

This vulnerability was discovered by:

* Sam Thomas of Pentest Limited working with Trend Micro's Zero Day Initiative

History:

* 2016-09-20 Original advisory
* 2017-01-12 Updated information on affected versions

References:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
* http://groovy-lang.org/security.html
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-01-14 14:33:56 UTC
@ Maintainer(s): Please bump to >=dev-java/groovy-2.4.8!
Comment 2 Demetris Nakos (sokan) 2018-05-27 19:21:16 UTC
@maintainer(s): ping

Please bump to latest stable version 2.4.14 (https://github.com/apache/groovy/releases/tag/GROOVY_2_4_14) which contains the fix. 

Demetris Nakos
-- Gentoo Security Padawan --
Comment 3 opncow 2019-01-31 14:47:33 UTC
@ Maintainer(s): Is a Bump possible? We meanwhile have version 2.5.5. Thanks!
Comment 4 Miroslav Šulc gentoo-dev 2019-02-01 12:23:00 UTC
i have looked at the bump but it's not trivial. any help from someone who uses groovy and could update the ebuild to the latest version would be appreciated.
Comment 5 Larry the Git Cow gentoo-dev 2019-08-14 19:50:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76dc9d72ea85ea427b36c5224130fb5063e9579f

commit 76dc9d72ea85ea427b36c5224130fb5063e9579f
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-08-14 19:49:23 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-08-14 19:49:23 +0000

    profiles/package.mask: mask dev-java/groovy
    
    * 1 rdep
    
    Bug: https://bugs.gentoo.org/605690
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 6 Soren Harward 2019-08-15 12:36:07 UTC
Groovy is optional for Freemind.  Since the security problem is only in Groovy, can we remove Groovy support from Freemind, instead of completely removing Freemind?
Comment 7 Soren Harward 2019-08-15 12:40:44 UTC
Created attachment 586822 [details]
freemind-1.0.1-r4.ebuild

freemind ebuild with groovy support removed
Comment 8 Larry the Git Cow gentoo-dev 2019-09-14 15:26:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6453206e0e5250ffcdf275d4697282169dcf99d4

commit 6453206e0e5250ffcdf275d4697282169dcf99d4
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-09-14 15:22:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-09-14 15:25:56 +0000

    dev-java/groovy: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/605690
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-java/groovy/Manifest                           |   1 -
 .../groovy/files/groovy-2.4.5-utils.gradle.patch   | 116 ------------------
 dev-java/groovy/groovy-2.4.5.ebuild                | 135 ---------------------
 dev-java/groovy/metadata.xml                       |  14 ---
 profiles/package.mask                              |   5 -
 5 files changed, 271 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38bfb985b1a420f4de6fff9fc0afa398bf7b830e

commit 38bfb985b1a420f4de6fff9fc0afa398bf7b830e
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-09-14 15:20:13 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-09-14 15:25:55 +0000

    app-misc/freemind: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/605690
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-misc/freemind/Manifest                 |   1 -
 app-misc/freemind/freemind-1.0.1-r3.ebuild | 121 -----------------------------
 app-misc/freemind/metadata.xml             |  17 ----
 profiles/package.mask                      |   1 -
 4 files changed, 140 deletions(-)
Comment 9 Róbert Čerňanský 2019-09-14 16:04:39 UTC
Is there a particular reason why the contributed solution from comment #7 was not used for freemind but it was removed instead?
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-03-12 19:14:23 UTC
This issue was resolved and addressed in
 GLSA 202003-01 at https://security.gentoo.org/glsa/202003-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Pavel Goran 2020-07-08 10:46:35 UTC
(In reply to Róbert Čerňanský from comment #9)
> Is there a particular reason why the contributed solution from comment #7
> was not used for freemind but it was removed instead?

It's an interesting question.