802165 – (CVE-2021-36373, CVE-2021-36374) <dev-java/ant{,-core}-1.10.14: multiple vulnerabilities (CVE-2021-{36373,36374})

Bug 802165 (CVE-2021-36373, CVE-2021-36374) - <dev-java/ant{,-core}-1.10.14: multiple vulnerabilities (CVE-2021-{36373,36374})

Summary: <dev-java/ant{,-core}-1.10.14: multiple vulnerabilities (CVE-2021-{36373,36374})

Status:	CONFIRMED

Alias:	CVE-2021-36373, CVE-2021-36374

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:	PullRequest

Depends on:	921269 922765 922766
Blocks:
	Show dependency tree

Reported:	2021-07-14 14:28 UTC by John Helmert III
Modified:	2024-03-17 03:59 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/34745 https://github.com/gentoo/gentoo/pull/35694
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-07-14 14:28:47 UTC

CVE-2021-36373 (https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E):

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

CVE-2021-36374 (https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E):

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.


Fixes in 1.10.11, please bump.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:02 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:10 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:07 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:09 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:08 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:25 UTC

Package list is empty or all packages have requested keywords.

Comment 8 Volkmar W. Pogatzki 2022-02-02 18:34:00 UTC

According to [1] the vulnerability is from dev-java/ant-core which is a dependency of dev-java/ant.

[1] https://mvnrepository.com/artifact/org.apache.ant/ant

Comment 9 Larry the Git Cow gentoo-dev

2024-01-23 09:42:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3e32af191491a385fea63c285d0eade85d329c1

commit d3e32af191491a385fea63c285d0eade85d329c1
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-12-26 10:47:11 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-01-23 09:42:33 +0000

    dev-java/ant-core: compatibility symlink, add 1.10.14
    
    Some packages still depend on dev-java/ant-core just for getting ant.jar
    into their classpath. Starting from version 1.10.14 ant-core is no longer
    used as a regular package. Instead, ant.jar is provided by dev-java/ant.
    
    This version of dev-java/ant-core provides only the package.env file to
    register the compatibility symlink /usr/share/ant-core/lib/ant.jar which
    is provided by dev-java/ant.
    
    Delete this package at the end of transition period after adjusting
    JAVA_ANT_E_DEPEND in java-ant-2.eclass when all reverse dependencies
    have switched to dev-java/ant.
    
    Bug: https://bugs.gentoo.org/802165
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/ant-core/ant-core-1.10.14.ebuild | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9098e1e1174f7f4eef989a538e29a8469e816363

commit 9098e1e1174f7f4eef989a538e29a8469e816363
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-12-24 18:38:07 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-01-23 09:42:33 +0000

    dev-java/ant: add 1.10.14 - CVE-2021-36373, CVE-2021-36374
    
    Starting from version 1.10.14, dev-java/ant provides itself ant.jar and
    ant-launcher.jar instead of having them symlinked from dev-java/ant-core.
    
    Jar files of ant-tasks and optionally their javadoc get installed
    conditionally according to their USE flags. Those which have no compile
    dependencies are installed unconditionally
    
    Closes: https://bugs.gentoo.org/921269
    Bug: https://bugs.gentoo.org/850430
    Bug: https://bugs.gentoo.org/802165
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/ant/Manifest                           |   2 +
 dev-java/ant/ant-1.10.14.ebuild                 | 369 +++++++++++++++++++++++
 dev-java/ant/files/1.10.9-launch.patch          | 361 +++++++++++++++++++++++
 dev-java/ant/files/ant-1.10.14-AntTest.patch    |  28 ++
 dev-java/ant/files/ant-1.10.14-AntlibTest.patch |  40 +++
 dev-java/ant/files/ant-1.10.14-JavaTest.patch   | 370 ++++++++++++++++++++++++
 dev-java/ant/files/ant-1.10.14-LinkTest.patch   |  87 ++++++
 dev-java/ant/files/ant-1.10.14-PathTest.patch   |  30 ++
 8 files changed, 1287 insertions(+)

Comment 10 Hans de Graaff gentoo-dev

2024-01-24 13:58:51 UTC

We don't have a security whiteboard status for keywording even though that still needs to happen first, so I've added the stable? (waiting for a stable bug) status.

Comment 11 Larry the Git Cow gentoo-dev

2024-03-10 21:10:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=741d4790f8f688a04715b447481adc57c1d888b1

commit 741d4790f8f688a04715b447481adc57c1d888b1
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-02-26 13:59:33 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-03-10 21:10:05 +0000

    dev-java/ant-core: drop 1.10.9-r5
    
    Bug: https://bugs.gentoo.org/802165
    Closes: https://bugs.gentoo.org/202276
    Closes: https://bugs.gentoo.org/850430
    Closes: https://bugs.gentoo.org/829815
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/ant-core/Manifest                  |   2 -
 dev-java/ant-core/ant-core-1.10.9-r5.ebuild | 159 ----------------------------
 2 files changed, 161 deletions(-)