Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 497652 (CVE-2013-7285) - <dev-java/xstream-1.4.8-r1: Remote code execution (CVE-2013-7285)
Summary: <dev-java/xstream-1.4.8-r1: Remote code execution (CVE-2013-7285)
Status: RESOLVED FIXED
Alias: CVE-2013-7285
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://blog.diniscruz.com/2013/12/xst...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 547912
Blocks: 564616
  Show dependency tree
 
Reported: 2014-01-10 00:15 UTC by Samuel Damashek (RETIRED)
Modified: 2016-12-13 06:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Damashek (RETIRED) gentoo-dev 2014-01-10 00:15:50 UTC 
Malicious XML, when deserialized using XStream, can execute arbitrary code because the program runs the XML code specified without first verifying the type.
Comment 2 Joerg Schaible 2015-03-06 22:50:36 UTC 
xstream 1.4.7 and 1.4.8 contains the fix
Comment 3 Patrice Clement (RETIRED) gentoo-dev 2015-10-31 17:37:33 UTC 
commit 9b1f3f6 (HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Sat Oct 31 17:31:57 2015 +0000

    dev-java/xstream: Version bump. Fixes security bug 497652.
    
    Package-Manager: portage-2.2.20.1
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 create mode 100644 dev-java/xstream/xstream-1.4.8.ebuild

I needed it to bump groovy to its lastest iteration.

Arch teams

Please stabilise:
=dev-java/xstream-1.4.8

Target arches:
amd64 ppc ppc64 x86

Thank you!
Comment 4 Patrice Clement (RETIRED) gentoo-dev 2015-11-01 13:35:57 UTC 
There was a bug with xstream-1.4.8: this package does need Java 8, meaning at least a {jdk,jre} version >= 1.8.

As a result, please stabilise:
=dev-java/xstream-1.4.8-r1

Target arches:
amd64 x86 (we don't support Java 8 on ppc+ppc64.. yet).

Thank you.
Comment 5 Patrice Clement (RETIRED) gentoo-dev 2015-11-04 10:39:23 UTC 
This will have to wait until virtual/{jre,jdk}-1.8 is marked stable. James is working at it. Please bear with us.
Comment 6 Agostino Sarubbo gentoo-dev 2015-11-04 10:44:12 UTC 
CC back arches when 547912 is resolved.
Comment 7 James Le Cuirot gentoo-dev 2016-05-17 21:51:14 UTC 
Java 8 is stable now. Go forth, monsieurp!
Comment 8 Agostino Sarubbo gentoo-dev 2016-05-19 07:41:21 UTC 
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-05-19 07:42:35 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Patrice Clement (RETIRED) gentoo-dev 2016-05-19 23:56:13 UTC 
commit 144dad3f486dbd6189724db13c28566110aaa482 (HEAD -> master)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Thu May 19 21:54:00 2016 +0100
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Thu May 19 23:27:26 2016 +0000

    dev-java/xstream: Remove vulnerable version. Fixes bug 497652.
    
    Package-Manager: portage-2.2.28

 dev-java/xstream/Manifest                |  1 -
 dev-java/xstream/xstream-1.3.1-r4.ebuild | 62 --------------------------------------------------------------
 2 files changed, 63 deletions(-)
 delete mode 100644 dev-java/xstream/xstream-1.3.1-r4.ebuild
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 21:30:58 UTC 
New GLSA created.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:48:56 UTC 
This issue was resolved and addressed in
 GLSA 201612-35 at https://security.gentoo.org/glsa/201612-35
by GLSA coordinator Aaron Bauman (b-man).