Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877577 (CVE-2022-42889) - <dev-java/commons-text-1.10.0: arbitrary code execution via StringLookup interpolation
Summary: <dev-java/commons-text-1.10.0: arbitrary code execution via StringLookup inte...
Status: RESOLVED FIXED
Alias: CVE-2022-42889
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.apache.org/thread/n2bd4...
Whiteboard: B1 [glsa+]
Keywords: PullRequest
Depends on: 877763
Blocks:
  Show dependency tree
 
Reported: 2022-10-18 20:40 UTC by John Helmert III
Modified: 2023-01-11 05:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-18 20:40:26 UTC
CVE-2022-42889 (http://www.openwall.com/lists/oss-security/2022/10/13/4):

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Please bump to 1.10.0.
Comment 1 Larry the Git Cow gentoo-dev 2022-10-20 11:26:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5a83e6b764ed915e5b2dbacdf6b2cbb7c9b6bdd

commit a5a83e6b764ed915e5b2dbacdf6b2cbb7c9b6bdd
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-10-16 08:12:52 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-10-20 11:18:21 +0000

    dev-java/commons-text: add 1.10.0 (CVE-2022-42889)
    
    Bug: https://bugs.gentoo.org/877577
    
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/27802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/commons-text/Manifest                   |  1 +
 dev-java/commons-text/commons-text-1.10.0.ebuild | 59 ++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-20 15:38:51 UTC
Thanks! Please stabilize when ready.
Comment 3 Larry the Git Cow gentoo-dev 2022-10-25 21:55:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07e28cb7773bf8a1766227b964661533012765f8

commit 07e28cb7773bf8a1766227b964661533012765f8
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-10-25 13:18:40 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-25 21:55:41 +0000

    dev-java/commons-text: drop 1.9
    
    Bug: https://bugs.gentoo.org/877577
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/27941
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-java/commons-text/Manifest                |  1 -
 dev-java/commons-text/commons-text-1.9.ebuild | 43 ---------------------------
 2 files changed, 44 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:56:02 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-01-11 05:22:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=45e0bd72744551e71baa23cf23de456d4dd49331

commit 45e0bd72744551e71baa23cf23de456d4dd49331
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:18:10 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:05 +0000

    [ GLSA 202301-05 ] Apache Commons Text: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/877577
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-11 05:25:36 UTC
GLSA released, all done!