Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 772929 (CVE-2020-11988) - <dev-java/xmlgraphics-commons-2.6: SSRF vulnerability (CVE-2020-11988)
Summary: <dev-java/xmlgraphics-commons-2.6: SSRF vulnerability (CVE-2020-11988)
Status: IN_PROGRESS
Alias: CVE-2020-11988
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://xmlgraphics.apache.org/securi...
Whiteboard: B4 [glsa?]
Keywords: PullRequest
Depends on: 847817
Blocks:
  Show dependency tree
 
Reported: 2021-02-25 19:22 UTC by John Helmert III
Modified: 2022-08-22 20:56 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/xmlgraphics-commons-2.6
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 19:22:46 UTC 
CVE-2020-11988:

Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.


Please bump.
Comment 2 Miroslav Šulc gentoo-dev 2021-06-16 13:02:28 UTC 
the tests are passing and the consumers compile fine against this version so imo can be stabilized.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 19:30:22 UTC 
Thanks!
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-17 00:12:58 UTC 
x86 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-17 00:14:47 UTC 
amd64 done
Comment 6 Agostino Sarubbo gentoo-dev 2021-06-18 06:29:00 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2021-06-18 06:37:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb3c9a6963b80d6c218462b859ac80ece3c3b1e

commit dfb3c9a6963b80d6c218462b859ac80ece3c3b1e
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-06-18 06:37:11 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-06-18 06:37:11 +0000

    dev-java/xmlgraphics-commons: removed vulnerable 2.0.1
    
    Bug: https://bugs.gentoo.org/772929
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/xmlgraphics-commons/Manifest              |  1 -
 .../xmlgraphics-commons-2.0.1.ebuild               | 63 ----------------------
 2 files changed, 64 deletions(-)
Comment 8 Miroslav Šulc gentoo-dev 2021-06-18 06:37:49 UTC 
the tree is clean now, you can proceed.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-18 13:52:29 UTC 
Thank you!
Comment 10 NATTkA bot gentoo-dev 2022-02-25 21:45:03 UTC Comment hidden (obsolete)
Comment 11 Larry the Git Cow gentoo-dev 2022-02-26 08:44:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3dd94d7603f38c077b0de0e219e64b92153b6c9

commit a3dd94d7603f38c077b0de0e219e64b92153b6c9
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-02-26 07:07:33 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-02-26 08:43:57 +0000

    dev-java/xmlgraphics-commons: Drop 2.6
    
    Bug: https://bugs.gentoo.org/772929
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/24353
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/xmlgraphics-commons/Manifest              |  1 -
 .../xmlgraphics-commons-2.6.ebuild                 | 75 ----------------------
 2 files changed, 76 deletions(-)
Comment 12 NATTkA bot gentoo-dev 2022-02-26 08:48:57 UTC 
Unable to check for sanity:

> no match for package: dev-java/xmlgraphics-commons-2.6