Bug#1015860: libxalan2-java: CVE-2022-34169

2022-10-17 Thread Markus Koschany 
Control: reassign -1 src:bcel
Control: tags -1 pending


I have notified oss-security about the find. Reassigning to bcel.


signature.asc
Description: This is a digitally signed message part
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1015860: libxalan2-java: CVE-2022-34169

2022-10-14 Thread Moritz Mühlenhoff 
Am Thu, Oct 13, 2022 at 09:36:09PM +0200 schrieb Markus Koschany:
> Hi,
> 
> I just had a go at this issue and I discovered that libxalan2-java in Debian 
> is
> not affected but rather bcel.
> 
> https://tracker.debian.org/pkg/bcel
> 
> The fixing commit in OpenJDK addresses the same code which is nowhere to be
> found in libxalan2-java but is present in bcel. The bcel upstream commit can 
> be
> found at
> 
> https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
> 
> 
> I suggest to reassign the bug to bcel. I agree that libxalan2-java should be
> retired eventually. It is required by quite some reverse-dependencies though
> and it may take some time to achieve that. In theory everything should work
> without the library, because the code is in OpenJDK already?

Nice find!

> I am not sure if we should request to clarify the CVE description or at least
> post on oss-security to make other people aware of it. I assume the official
> xalan2 release ships an internal copy of bcel and that might be the reason for
> the confusion.

Yeah, I think it would be best if you were to post to oss-security about this,
then this can be picked up as a public reference to other distros (and the
URL in the list archives could be used to challenge/update the CVE ID).

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1015860: libxalan2-java: CVE-2022-34169

2022-10-13 Thread Markus Koschany 
Hi,

I just had a go at this issue and I discovered that libxalan2-java in Debian is
not affected but rather bcel.

https://tracker.debian.org/pkg/bcel

The fixing commit in OpenJDK addresses the same code which is nowhere to be
found in libxalan2-java but is present in bcel. The bcel upstream commit can be
found at

https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5


I suggest to reassign the bug to bcel. I agree that libxalan2-java should be
retired eventually. It is required by quite some reverse-dependencies though
and it may take some time to achieve that. In theory everything should work
without the library, because the code is in OpenJDK already?

I am not sure if we should request to clarify the CVE description or at least
post on oss-security to make other people aware of it. I assume the official
xalan2 release ships an internal copy of bcel and that might be the reason for
the confusion.

Regards,

Markus


signature.asc
Description: This is a digitally signed message part
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1015860: libxalan2-java: CVE-2022-34169

2022-07-22 Thread Moritz Mühlenhoff 
Source: libxalan2-java
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for libxalan2-java.

CVE-2022-34169[0]:
| The Apache Xalan Java XSLT library is vulnerable to an integer
| truncation issue when processing malicious XSLT stylesheets. This can
| be used to corrupt Java class files generated by the internal XSLTC
| compiler and execute arbitrary Java bytecode. The Apache Xalan Java
| project is dormant and in the process of being retired. No future
| releases of Apache Xalan Java to address this issue are expected.
| Note: Java runtimes (such as OpenJDK) include repackaged copies of
| Xalan.

https://www.openwall.com/lists/oss-security/2022/07/19/5

The patch in the openjdk-internal version seems to be 
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
so that might be potential way to fix this.

Given the package is retired by Apache we should however also work
to get it removed from Debian?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-34169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169

Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.