Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831979 (CVE-2022-23437) - <dev-java/xerces-2.12.2: infinite loop vulnerability
Summary: <dev-java/xerces-2.12.2: infinite loop vulnerability
Status: RESOLVED FIXED
Alias: CVE-2022-23437
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [noglsa]
Keywords: PullRequest
Depends on: 834614
Blocks:
  Show dependency tree
 
Reported: 2022-01-24 15:06 UTC by John Helmert III
Modified: 2022-03-06 18:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-24 15:06:51 UTC
From URL:

"There's a vulnerability within the Apache Xerces Java (XercesJ) XML
parser when handling specially crafted XML document payloads. This
causes, the XercesJ XML parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1 and the
previous versions.

Mitigation:

Apache XercesJ users, should migrate to version 2.12.2"

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2022-02-03 12:00:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=743111a72f39a1b24f87bd1b2fc32ef707b41407

commit 743111a72f39a1b24f87bd1b2fc32ef707b41407
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-02-02 17:30:03 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-02-03 12:00:09 +0000

    dev-java/xerces: Bump to 2.12.2
    
    Closes: https://bugs.gentoo.org/831155
    Bug: https://bugs.gentoo.org/831979
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/xerces/Manifest             |  1 +
 dev-java/xerces/metadata.xml         | 11 ++++---
 dev-java/xerces/xerces-2.12.2.ebuild | 57 ++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 4 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2022-02-03 12:06:06 UTC
thanks vaukai for the bump. let's give it a few days before we start the stabilization process as we don't have tests for this package.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-04 00:26:26 UTC
No worries, thanks!
Comment 4 Larry the Git Cow gentoo-dev 2022-03-06 17:07:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=610e8e15e38b5c213227f1dabdcddfdf60e66095

commit 610e8e15e38b5c213227f1dabdcddfdf60e66095
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-03-06 16:29:41 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-03-06 17:07:45 +0000

    dev-java/xerces: Drop 2.12.0-r1
    
    Closes: https://bugs.gentoo.org/831155
    Bug: https://bugs.gentoo.org/831979
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/24424
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/xerces/Manifest                |  1 -
 dev-java/xerces/xerces-2.12.0-r1.ebuild | 55 ---------------------------------
 2 files changed, 56 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 18:15:35 UTC
Thanks! Minimal impact so no GLSA. All done!