Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872695 (CVE-2022-36944) - dev-lang/scala <dev-lang/scala-bin-2.13.9: deserialization gadget chain
Summary: dev-lang/scala <dev-lang/scala-bin-2.13.9: deserialization gadget chain
Alias: CVE-2022-36944
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa ebuild]
Depends on:
Reported: 2022-09-24 19:59 UTC by John Helmert III
Modified: 2022-09-28 22:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-24 19:59:42 UTC

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

This seems to only be a mitigation against certain kinds of
vulnerabilities in Scala programs, so no GLSA. Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2022-09-28 15:39:54 UTC
The bug has been referenced in the following commit(s):

commit e35d7d6b7a1e56e29fb6e515693208ab0ba370c9
Author:     Florian Schmaus <>
AuthorDate: 2022-09-28 15:38:31 +0000
Commit:     Florian Schmaus <>
CommitDate: 2022-09-28 15:39:46 +0000

    dev-lang/scala-bin: add 2.13.9
    Signed-off-by: Florian Schmaus <>

 dev-lang/scala-bin/Manifest                |  1 +
 dev-lang/scala-bin/scala-bin-2.13.9.ebuild | 77 ++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 22:50:16 UTC
Thanks Flow! Not sure how I missed the existence of scala-bin.

I'm not sure if we can trust the CVE's assertion that this only affects Scala 2.13.x, so keeping at [ebuild] for now for dev-lang/scala itself. Please stabilize scala-bin-2.13.9 when ready.