907927 – (CVE-2023-33546) dev-java/janino: DoS vulnerability

Bug 907927 (CVE-2023-33546) - dev-java/janino: DoS vulnerability

Summary: dev-java/janino: DoS vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2023-33546

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:	PMASKED, PullRequest

Depends on:
Blocks:

Reported:	2023-06-06 04:03 UTC by John Helmert III
Modified:	2023-07-13 03:28 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/31329
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-06-06 04:03:01 UTC

CVE-2023-33546 (https://github.com/janino-compiler/janino/issues/201):

janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.

I'm not sure we actually care about this given upstream's security
notes (https://janino-compiler.github.io/janino/#security) state:

" These are the "really evil things" that an attacker might do. However actions that are not guarded are:

    Allocate memory
    Create new threads
    Use CPU time excessively
"

Comment 1 Larry the Git Cow gentoo-dev

2023-06-07 05:23:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5987ec362a8eac13d17db3fc29306ac0f5be4d7

commit f5987ec362a8eac13d17db3fc29306ac0f5be4d7
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-06-06 07:22:59 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-06-07 05:23:16 +0000

    profiles: Last rite dev-java/janino, CVE-2023-33546
    
    Bug: https://bugs.gentoo.org/907927
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/31329
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 profiles/package.mask | 9 +++++++++
 1 file changed, 9 insertions(+)

Comment 2 John Helmert III archtester

2023-06-12 04:31:28 UTC

tHANKS!

Comment 3 Volkmar W. Pogatzki 2023-06-20 08:35:35 UTC

There is an upstream patch to be tested[1].

[1]https://github.com/janino-compiler/janino/issues/201#ref-commit-a38d952

Comment 4 Larry the Git Cow gentoo-dev

2023-07-08 17:40:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96a1712ca2e7004260a15b4adbdfc5bf0529fb2f

commit 96a1712ca2e7004260a15b4adbdfc5bf0529fb2f
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2023-07-08 17:35:23 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2023-07-08 17:39:50 +0000

    dev-java/janino: treeclean
    
    Bug: https://bugs.gentoo.org/907927
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-java/janino/Manifest            |   2 -
 dev-java/janino/janino-3.1.7.ebuild | 103 ------------------------------------
 dev-java/janino/janino-3.1.8.ebuild | 101 -----------------------------------
 dev-java/janino/metadata.xml        |  14 -----
 profiles/package.mask               |   6 ---
 5 files changed, 226 deletions(-)

Comment 5 John Helmert III archtester

2023-07-13 03:28:45 UTC

Thanks, all done!