Severity: Important Vendor: The Apache Software Foundation Versions Affected: * Unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3 * Apache Groovy 2.4.4 to 2.4.7 * Fixed in version 2.4.8 Impact: Remote execution of untrusted code, DoS Description: When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. This is similar to CVE-2015-3253 (bug 555470) but this exploit involves extra wrapping of objects and catching of exceptions which are now safe guarded against. Mitigation: Users of Groovy relying on (de)serialization with the affected versions should apply one of the following mitigations: * Isolate the code doing the (de)serialization * Upgrade to Apache Groovy 2.4.8 or later * Users of older versions of Groovy can apply the following patch to the `MethodClosure` class (`src/main/org/codehaus/groovy/runtime/MethodClosure.java`): ``` public class MethodClosure extends Closure { + private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException { + if (ALLOW_RESOLVE) { + stream.defaultReadObject(); + } + throw new UnsupportedOperationException(); + } ``` Credit: This vulnerability was discovered by: * Sam Thomas of Pentest Limited working with Trend Micro's Zero Day Initiative History: * 2016-09-20 Original advisory * 2017-01-12 Updated information on affected versions References: * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814 * http://groovy-lang.org/security.html
@ Maintainer(s): Please bump to >=dev-java/groovy-2.4.8!
@maintainer(s): ping Please bump to latest stable version 2.4.14 (https://github.com/apache/groovy/releases/tag/GROOVY_2_4_14) which contains the fix. Demetris Nakos -- Gentoo Security Padawan --
@ Maintainer(s): Is a Bump possible? We meanwhile have version 2.5.5. Thanks!
i have looked at the bump but it's not trivial. any help from someone who uses groovy and could update the ebuild to the latest version would be appreciated.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76dc9d72ea85ea427b36c5224130fb5063e9579f commit 76dc9d72ea85ea427b36c5224130fb5063e9579f Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-14 19:49:23 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-14 19:49:23 +0000 profiles/package.mask: mask dev-java/groovy * 1 rdep Bug: https://bugs.gentoo.org/605690 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
Groovy is optional for Freemind. Since the security problem is only in Groovy, can we remove Groovy support from Freemind, instead of completely removing Freemind?
Created attachment 586822 [details] freemind-1.0.1-r4.ebuild freemind ebuild with groovy support removed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6453206e0e5250ffcdf275d4697282169dcf99d4 commit 6453206e0e5250ffcdf275d4697282169dcf99d4 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:22:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:25:56 +0000 dev-java/groovy: Remove last-rited pkg Bug: https://bugs.gentoo.org/605690 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/groovy/Manifest | 1 - .../groovy/files/groovy-2.4.5-utils.gradle.patch | 116 ------------------ dev-java/groovy/groovy-2.4.5.ebuild | 135 --------------------- dev-java/groovy/metadata.xml | 14 --- profiles/package.mask | 5 - 5 files changed, 271 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38bfb985b1a420f4de6fff9fc0afa398bf7b830e commit 38bfb985b1a420f4de6fff9fc0afa398bf7b830e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:20:13 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:25:55 +0000 app-misc/freemind: Remove last-rited pkg Bug: https://bugs.gentoo.org/605690 Signed-off-by: Michał Górny <mgorny@gentoo.org> app-misc/freemind/Manifest | 1 - app-misc/freemind/freemind-1.0.1-r3.ebuild | 121 ----------------------------- app-misc/freemind/metadata.xml | 17 ---- profiles/package.mask | 1 - 4 files changed, 140 deletions(-)
Is there a particular reason why the contributed solution from comment #7 was not used for freemind but it was removed instead?
This issue was resolved and addressed in GLSA 202003-01 at https://security.gentoo.org/glsa/202003-01 by GLSA coordinator Thomas Deutschmann (whissi).
(In reply to Róbert Čerňanský from comment #9) > Is there a particular reason why the contributed solution from comment #7 > was not used for freemind but it was removed instead? It's an interesting question.