Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760111 (CVE-2018-10237, CVE-2020-8908) - <dev-java/guava-30.1.1: Multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908)
Summary: <dev-java/guava-30.1.1: Multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908)
Status: IN_PROGRESS
Alias: CVE-2018-10237, CVE-2020-8908
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: 809974 831439 833309 833758
Blocks:
  Show dependency tree
 
Reported: 2020-12-16 06:24 UTC by Sam James
Modified: 2023-06-15 05:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 06:24:58 UTC
* CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

* CVE-2020-8908

A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:25:08 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:33:40 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:41:33 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:49:42 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:05:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:13:56 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2022-01-19 02:36:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6f1ad5edce356930cecb857d94a4fd58c7e9ee

commit db6f1ad5edce356930cecb857d94a4fd58c7e9ee
Author:     Jeffrey Lin <jeffrey@icurse.nl>
AuthorDate: 2021-06-19 03:58:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-19 02:36:46 +0000

    dev-java/guava: add 30.1.1
    
    Going back to SLOT 0 as upstream claims "APIs without `@Beta` will
    remain binary-compatible for the indefinite future." [1]
    
    [1]: https://github.com/google/guava#important-warnings
    
    Bug: https://bugs.gentoo.org/760111
    Closes: https://bugs.gentoo.org/809974
    Signed-off-by: Jeffrey Lin <jeffrey@icurse.nl>
    Closes: https://github.com/gentoo/gentoo/pull/21318
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-java/guava/Manifest            |  1 +
 dev-java/guava/guava-30.1.1.ebuild | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2022-06-17 13:50:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33275e7369fbcc1bb980d6f5e81d3e91e450a614

commit 33275e7369fbcc1bb980d6f5e81d3e91e450a614
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-06-17 11:43:29 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2022-06-17 13:50:13 +0000

    dev-java/guava: drop 20.0, 20.0-r1
    
    Closes: https://bugs.gentoo.org/833309
    Closes: https://bugs.gentoo.org/657692
    Bug: https://bugs.gentoo.org/760111
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/25940
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-java/guava/Manifest             |  1 -
 dev-java/guava/guava-20.0-r1.ebuild | 36 ------------------------------------
 dev-java/guava/guava-20.0.ebuild    | 36 ------------------------------------
 3 files changed, 73 deletions(-)