859400 – dev-java/openjdk{,-jre-bin,-bin}: remote code execution via bundled dev-java/bcel

Bug 859400 - dev-java/openjdk{,-jre-bin,-bin}: remote code execution via bundled dev-java/bcel

Summary: dev-java/openjdk{,-jre-bin,-bin}: remote code execution via bundled dev-java/...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B1 [ebuild]
Keywords:

Depends on:
Blocks:	CVE-2022-34169, CVE-2022-42920
	Show dependency tree

Reported:	2022-07-19 19:31 UTC by John Helmert III
Modified:	2023-06-10 05:06 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-07-19 19:31:09 UTC

See tracker for (few) details, apparently xalan is bundled in openjdk, according to URL:

"Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan."

Comment 1 John Helmert III archtester

2022-07-21 22:30:13 UTC

https://openjdk.org/groups/vulnerability/advisories/2022-07-19

"These issues have been addressed, as applicable, in the following releases:
  7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2"

Comment 2 John Helmert III archtester

2022-10-21 00:54:11 UTC

The vulnerability is in bcel, seems like that's bundled here as well.

Comment 3 John Helmert III archtester

2023-06-10 05:06:22 UTC

(In reply to John Helmert III from comment #1)
> https://openjdk.org/groups/vulnerability/advisories/2022-07-19
> 
> "These issues have been addressed, as applicable, in the following releases:
>   7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2"

Hm, to be clear, these are tracked in bug 859376, not here.