CVE-2022-36944: Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. This seems to only be a mitigation against certain kinds of vulnerabilities in Scala programs, so no GLSA. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e35d7d6b7a1e56e29fb6e515693208ab0ba370c9 commit e35d7d6b7a1e56e29fb6e515693208ab0ba370c9 Author: Florian Schmaus <flow@gentoo.org> AuthorDate: 2022-09-28 15:38:31 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2022-09-28 15:39:46 +0000 dev-lang/scala-bin: add 2.13.9 Bug: https://bugs.gentoo.org/872695 Signed-off-by: Florian Schmaus <flow@gentoo.org> dev-lang/scala-bin/Manifest | 1 + dev-lang/scala-bin/scala-bin-2.13.9.ebuild | 77 ++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+)
Thanks Flow! Not sure how I missed the existence of scala-bin. I'm not sure if we can trust the CVE's assertion that this only affects Scala 2.13.x, so keeping at [ebuild] for now for dev-lang/scala itself. Please stabilize scala-bin-2.13.9 when ready.
