Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802165 (CVE-2021-36373, CVE-2021-36374) - <dev-java/ant{,-core}-1.10.14: multiple vulnerabilities (CVE-2021-{36373,36374})
Summary: <dev-java/ant{,-core}-1.10.14: multiple vulnerabilities (CVE-2021-{36373,36374})
Status: CONFIRMED
Alias: CVE-2021-36373, CVE-2021-36374
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable?]
Keywords: PullRequest
Depends on: 922766 921269 922765
Blocks:
  Show dependency tree
 
Reported: 2021-07-14 14:28 UTC by John Helmert III
Modified: 2024-02-03 07:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-14 14:28:47 UTC
CVE-2021-36373 (https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E):

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

CVE-2021-36374 (https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E):

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.


Fixes in 1.10.11, please bump.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:02 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:10 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:07 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:09 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:12 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:08 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:09:25 UTC
Package list is empty or all packages have requested keywords.
Comment 8 Volkmar W. Pogatzki 2022-02-02 18:34:00 UTC
According to [1] the vulnerability is from dev-java/ant-core which is a dependency of dev-java/ant.

[1] https://mvnrepository.com/artifact/org.apache.ant/ant
Comment 9 Larry the Git Cow gentoo-dev 2024-01-23 09:42:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3e32af191491a385fea63c285d0eade85d329c1

commit d3e32af191491a385fea63c285d0eade85d329c1
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-12-26 10:47:11 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-01-23 09:42:33 +0000

    dev-java/ant-core: compatibility symlink, add 1.10.14
    
    Some packages still depend on dev-java/ant-core just for getting ant.jar
    into their classpath. Starting from version 1.10.14 ant-core is no longer
    used as a regular package. Instead, ant.jar is provided by dev-java/ant.
    
    This version of dev-java/ant-core provides only the package.env file to
    register the compatibility symlink /usr/share/ant-core/lib/ant.jar which
    is provided by dev-java/ant.
    
    Delete this package at the end of transition period after adjusting
    JAVA_ANT_E_DEPEND in java-ant-2.eclass when all reverse dependencies
    have switched to dev-java/ant.
    
    Bug: https://bugs.gentoo.org/802165
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/ant-core/ant-core-1.10.14.ebuild | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9098e1e1174f7f4eef989a538e29a8469e816363

commit 9098e1e1174f7f4eef989a538e29a8469e816363
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-12-24 18:38:07 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-01-23 09:42:33 +0000

    dev-java/ant: add 1.10.14 - CVE-2021-36373, CVE-2021-36374
    
    Starting from version 1.10.14, dev-java/ant provides itself ant.jar and
    ant-launcher.jar instead of having them symlinked from dev-java/ant-core.
    
    Jar files of ant-tasks and optionally their javadoc get installed
    conditionally according to their USE flags. Those which have no compile
    dependencies are installed unconditionally
    
    Closes: https://bugs.gentoo.org/921269
    Bug: https://bugs.gentoo.org/850430
    Bug: https://bugs.gentoo.org/802165
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/ant/Manifest                           |   2 +
 dev-java/ant/ant-1.10.14.ebuild                 | 369 +++++++++++++++++++++++
 dev-java/ant/files/1.10.9-launch.patch          | 361 +++++++++++++++++++++++
 dev-java/ant/files/ant-1.10.14-AntTest.patch    |  28 ++
 dev-java/ant/files/ant-1.10.14-AntlibTest.patch |  40 +++
 dev-java/ant/files/ant-1.10.14-JavaTest.patch   | 370 ++++++++++++++++++++++++
 dev-java/ant/files/ant-1.10.14-LinkTest.patch   |  87 ++++++
 dev-java/ant/files/ant-1.10.14-PathTest.patch   |  30 ++
 8 files changed, 1287 insertions(+)
Comment 10 Hans de Graaff gentoo-dev Security 2024-01-24 13:58:51 UTC
We don't have a security whiteboard status for keywording even though that still needs to happen first, so I've added the stable? (waiting for a stable bug) status.