831979 – (CVE-2022-23437) <dev-java/xerces-2.12.2: infinite loop vulnerability

Bug 831979 (CVE-2022-23437) - <dev-java/xerces-2.12.2: infinite loop vulnerability

Summary: <dev-java/xerces-2.12.2: infinite loop vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2022-23437

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B3 [noglsa]
Keywords:	PullRequest

Depends on:	834614
Blocks:
	Show dependency tree

Reported:	2022-01-24 15:06 UTC by John Helmert III
Modified:	2022-03-06 18:15 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/24054 https://github.com/gentoo/gentoo/pull/24424
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-01-24 15:06:51 UTC

From URL:

"There's a vulnerability within the Apache Xerces Java (XercesJ) XML
parser when handling specially crafted XML document payloads. This
causes, the XercesJ XML parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1 and the
previous versions.

Mitigation:

Apache XercesJ users, should migrate to version 2.12.2"

Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2022-02-03 12:00:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=743111a72f39a1b24f87bd1b2fc32ef707b41407

commit 743111a72f39a1b24f87bd1b2fc32ef707b41407
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-02-02 17:30:03 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-02-03 12:00:09 +0000

    dev-java/xerces: Bump to 2.12.2
    
    Closes: https://bugs.gentoo.org/831155
    Bug: https://bugs.gentoo.org/831979
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/xerces/Manifest             |  1 +
 dev-java/xerces/metadata.xml         | 11 ++++---
 dev-java/xerces/xerces-2.12.2.ebuild | 57 ++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 4 deletions(-)

Comment 2 Miroslav Šulc gentoo-dev

2022-02-03 12:06:06 UTC

thanks vaukai for the bump. let's give it a few days before we start the stabilization process as we don't have tests for this package.

Comment 3 John Helmert III archtester

2022-02-04 00:26:26 UTC

No worries, thanks!

Comment 4 Larry the Git Cow gentoo-dev

2022-03-06 17:07:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=610e8e15e38b5c213227f1dabdcddfdf60e66095

commit 610e8e15e38b5c213227f1dabdcddfdf60e66095
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-03-06 16:29:41 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-03-06 17:07:45 +0000

    dev-java/xerces: Drop 2.12.0-r1
    
    Closes: https://bugs.gentoo.org/831155
    Bug: https://bugs.gentoo.org/831979
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/24424
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/xerces/Manifest                |  1 -
 dev-java/xerces/xerces-2.12.0-r1.ebuild | 55 ---------------------------------
 2 files changed, 56 deletions(-)

Comment 5 John Helmert III archtester

2022-03-06 18:15:35 UTC

Thanks! Minimal impact so no GLSA. All done!