Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 907927 (CVE-2023-33546) - dev-java/janino: DoS vulnerability
Summary: dev-java/janino: DoS vulnerability
Status: RESOLVED FIXED
Alias: CVE-2023-33546
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords: PMASKED, PullRequest
Depends on:
Blocks:
 
Reported: 2023-06-06 04:03 UTC by John Helmert III
Modified: 2023-07-13 03:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-06 04:03:01 UTC 
CVE-2023-33546 (https://github.com/janino-compiler/janino/issues/201):

janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.

I'm not sure we actually care about this given upstream's security
notes (https://janino-compiler.github.io/janino/#security) state:

" These are the "really evil things" that an attacker might do. However actions that are not guarded are:

    Allocate memory
    Create new threads
    Use CPU time excessively
"
Comment 1 Larry the Git Cow gentoo-dev 2023-06-07 05:23:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5987ec362a8eac13d17db3fc29306ac0f5be4d7

commit f5987ec362a8eac13d17db3fc29306ac0f5be4d7
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-06-06 07:22:59 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-06-07 05:23:16 +0000

    profiles: Last rite dev-java/janino, CVE-2023-33546
    
    Bug: https://bugs.gentoo.org/907927
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/31329
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 profiles/package.mask | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-12 04:31:28 UTC 
tHANKS!
Comment 3 Volkmar W. Pogatzki 2023-06-20 08:35:35 UTC 
There is an upstream patch to be tested[1].

[1]https://github.com/janino-compiler/janino/issues/201#ref-commit-a38d952
Comment 4 Larry the Git Cow gentoo-dev 2023-07-08 17:40:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96a1712ca2e7004260a15b4adbdfc5bf0529fb2f

commit 96a1712ca2e7004260a15b4adbdfc5bf0529fb2f
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2023-07-08 17:35:23 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2023-07-08 17:39:50 +0000

    dev-java/janino: treeclean
    
    Bug: https://bugs.gentoo.org/907927
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-java/janino/Manifest            |   2 -
 dev-java/janino/janino-3.1.7.ebuild | 103 ------------------------------------
 dev-java/janino/janino-3.1.8.ebuild | 101 -----------------------------------
 dev-java/janino/metadata.xml        |  14 -----
 profiles/package.mask               |   6 ---
 5 files changed, 226 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-07-13 03:28:45 UTC 
Thanks, all done!