CVE-2022-34169 (https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw): https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8 The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. Neither of these references seem to give substantial information on the vulnerability so I've asked for more info on oss-security.
https://www.openwall.com/lists/oss-security/2022/10/18/2 "it appears the underlying bug is in Apache Commons bcel and not in Apache Xalan itself. See https://bugs.debian.org/1015860" So I guess some of the dependencies here are invalid.
I guess Apache wants to keep the duplicates.
(In reply to John Helmert III from comment #2) > I guess Apache wants to keep the duplicates. Actually, they responded to my mail and will handle marking the duplicate as such \o/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3cc2f17cd66be72f77a9335d4e2588325a8d7367 commit 3cc2f17cd66be72f77a9335d4e2588325a8d7367 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-09-06 22:59:28 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-09-19 11:04:48 +0000 dev-java/xalan: add 2.7.3 - CVE-2022-34169 Bug: https://bugs.gentoo.org/859394 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/32668 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/xalan/Manifest | 2 ++ dev-java/xalan/xalan-2.7.3.ebuild | 45 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+)
(In reply to Larry the Git Cow from comment #4) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=3cc2f17cd66be72f77a9335d4e2588325a8d7367 > > commit 3cc2f17cd66be72f77a9335d4e2588325a8d7367 > Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> > AuthorDate: 2023-09-06 22:59:28 +0000 > Commit: Miroslav Šulc <fordfrog@gentoo.org> > CommitDate: 2023-09-19 11:04:48 +0000 > > dev-java/xalan: add 2.7.3 - CVE-2022-34169 > > Bug: https://bugs.gentoo.org/859394 > Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> > Closes: https://github.com/gentoo/gentoo/pull/32668 > Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> > > dev-java/xalan/Manifest | 2 ++ > dev-java/xalan/xalan-2.7.3.ebuild | 45 > +++++++++++++++++++++++++++++++++++++++ > 2 files changed, 47 insertions(+) We shouldn't be affected by this though, right? xalan depends on bcel, so shouldn't be using the vulnerable bundled bcel?
(In reply to John Helmert III from comment #5) > (In reply to Larry the Git Cow from comment #4) > [...] > We shouldn't be affected by this though, right? xalan depends on bcel, so > shouldn't be using the vulnerable bundled bcel? Right. There is bcel-6.7.0.jar in xalan{,-serializer}'s lib directory but ::gentoo does not use it.