Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760111 (CVE-2018-10237, CVE-2020-8908) - <dev-java/guava-30.1.1: Multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908)
Summary: <dev-java/guava-30.1.1: Multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908)
Alias: CVE-2018-10237, CVE-2020-8908
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: 809974 831439 833309 833758
  Show dependency tree
Reported: 2020-12-16 06:24 UTC by Sam James
Modified: 2023-06-15 05:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 06:24:58 UTC
* CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

* CVE-2020-8908

A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:25:08 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:33:40 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:41:33 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:49:42 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:05:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:13:56 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2022-01-19 02:36:56 UTC
The bug has been referenced in the following commit(s):

commit db6f1ad5edce356930cecb857d94a4fd58c7e9ee
Author:     Jeffrey Lin <>
AuthorDate: 2021-06-19 03:58:45 +0000
Commit:     Sam James <>
CommitDate: 2022-01-19 02:36:46 +0000

    dev-java/guava: add 30.1.1
    Going back to SLOT 0 as upstream claims "APIs without `@Beta` will
    remain binary-compatible for the indefinite future." [1]
    Signed-off-by: Jeffrey Lin <>
    Signed-off-by: Sam James <>

 dev-java/guava/Manifest            |  1 +
 dev-java/guava/guava-30.1.1.ebuild | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2022-06-17 13:50:25 UTC
The bug has been referenced in the following commit(s):

commit 33275e7369fbcc1bb980d6f5e81d3e91e450a614
Author:     Volkmar W. Pogatzki <>
AuthorDate: 2022-06-17 11:43:29 +0000
Commit:     Arthur Zamarin <>
CommitDate: 2022-06-17 13:50:13 +0000

    dev-java/guava: drop 20.0, 20.0-r1
    Signed-off-by: Volkmar W. Pogatzki <>
    Signed-off-by: Arthur Zamarin <>

 dev-java/guava/Manifest             |  1 -
 dev-java/guava/guava-20.0-r1.ebuild | 36 ------------------------------------
 dev-java/guava/guava-20.0.ebuild    | 36 ------------------------------------
 3 files changed, 73 deletions(-)