Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
This seems to only be a mitigation against certain kinds of
vulnerabilities in Scala programs, so no GLSA. Please bump.
The bug has been referenced in the following commit(s):
Author: Florian Schmaus <firstname.lastname@example.org>
AuthorDate: 2022-09-28 15:38:31 +0000
Commit: Florian Schmaus <email@example.com>
CommitDate: 2022-09-28 15:39:46 +0000
dev-lang/scala-bin: add 2.13.9
Signed-off-by: Florian Schmaus <firstname.lastname@example.org>
dev-lang/scala-bin/Manifest | 1 +
dev-lang/scala-bin/scala-bin-2.13.9.ebuild | 77 ++++++++++++++++++++++++++++++
2 files changed, 78 insertions(+)
Thanks Flow! Not sure how I missed the existence of scala-bin.
I'm not sure if we can trust the CVE's assertion that this only affects Scala 2.13.x, so keeping at [ebuild] for now for dev-lang/scala itself. Please stabilize scala-bin-2.13.9 when ready.