Bug 16393

Summary: groovy new security issue CVE-2015-3253
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, lewyssmith, pterjan, shlomif, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/651766/
Whiteboard: MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA4-64-OK MGA5-32-OK has_procedure
Source RPM: groovy-1.8.9-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-16 22:01:36 CEST 
Upstream has issued an advisory today (July 16):
http://www.openwall.com/lists/oss-security/2015/07/16/3

The issue is fixed upstream in 2.4.4.  Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-16 22:01:58 CEST

Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-07-20 20:57:32 CEST

URL: (none) => http://lwn.net/Vulnerabilities/651766/

David Walser 2015-07-21 19:17:50 CEST

CC: (none) => geiger.david68210, pterjan

Comment 1 David Walser 2015-07-27 21:37:35 CEST 
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated groovy packages fix security vulnerability:

When an application has Groovy on the classpath and that it uses standard Java
serialization mechanim to communicate between servers, or to store local data,
it is possible for an attacker to bake a special serialized object that will
execute code directly when deserialized. All applications which rely on
serialization and do not isolate the code which deserializes objects are
subject to this vulnerability (CVE-2015-3253).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://groovy-lang.org/security.html
========================

Updated packages in core/updates_testing:
========================
groovy-1.8.7-3.1.mga4
groovy-javadoc-1.8.7-3.1.mga4
groovy-1.8.9-5.1.mga5
groovy-lib-1.8.9-5.1.mga5

from SRPMS:
groovy-1.8.7-3.1.mga4.src.rpm
groovy-1.8.9-5.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Dave Hodgins 2015-07-28 16:20:20 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

Comment 2 Shlomi Fish 2015-07-28 17:23:01 CEST 
Hi all,

tested fine on MGA5-64-OK (Acer Core Due laptop):

[shlomif@localhost ~]$ groovy -e 'print "Hi\n";'
/usr/bin/build-classpath: Could not find jsp Java extension for this JVM
/usr/bin/build-classpath: error: Some specified jars were not found
Hi
[shlomif@localhost ~]$ groovy -e 'for (int i in (1 .. 10)) { print i; print "\n"; }'
/usr/bin/build-classpath: Could not find jsp Java extension for this JVM
/usr/bin/build-classpath: error: Some specified jars were not found
1
2
3
4
5
6
7
8
9
10
[shlomif@localhost ~]$ cat 99_bottles.groovy # From Rosetta Code
def bottles = { "${it==0 ? 'No more' : it} bottle${it==1 ? '' : 's' }" }

99.downto(1) { i ->
    print """
${bottles(i)} of beer on the wall
${bottles(i)} of beer
Take one down, pass it around
${bottles(i-1)} of beer on the wall
"""
}
[shlomif@localhost ~]$ groovy 99_bottles.groovy | less
[shlomif@localhost ~]$ rpm -q groovy
groovy-1.8.9-5.1.mga5
[shlomif@localhost ~]$

CC: (none) => shlomif
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA5-64-OK

Comment 3 Shlomi Fish 2015-07-28 17:23:50 CEST 
I'm going to try MGA4-32 next. Stay tuned.

Regards,

-- Shlomi Fish
Comment 4 Shlomi Fish 2015-07-28 17:38:09 CEST 
Adding MGA4-32-OK because tested fine on a VBox VM.

Whiteboard: MGA4TOO advisory MGA5-64-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK

Comment 5 Lewis Smith 2015-07-29 11:51:08 CEST 
Testing MGA4 x64 (OK)

Great thanks to Shlomi for his tests in Comment 2.

BEFORE: groovy-1.8.7-3.mga4
[Installing this pulled in 75 packages!]

 $ groovy -e 'print "Hi\n";'
 Hi

 $ groovy -e 'for (int i in (1 .. 10)) { print i; print "\n"; }'
 1
...
 10

 $ groovy 99_bottles.groovy    [or redirect O/P to file, or pipe to less]
 99 bottles of beer on the wall
 99 bottles of beer
 Take one down, pass it around
 98 bottles of beer on the wall
...
 1 bottle of beer on the wall
 1 bottle of beer
 Take one down, pass it around
 No more bottles of beer on the wall

UPDATE to: groovy-1.8.7-3.1.mga4
The three tests produced identical ouput. So at least no reversion, OK.

CC: (none) => lewyssmith
Whiteboard: MGA4TOO advisory MGA5-64-OK MGA4-32-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA4-64-OK

Comment 6 Shlomi Fish 2015-07-29 12:36:12 CEST 
Tested on a Mageia 5 i586 VM. Works fine before and after the update. Marking as "MGA5-32-OK" and "has_procedure".

Whiteboard: MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA4-64-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA4-64-OK MGA5-32-OK has_procedure

Comment 7 RĂ©mi Verschelde 2015-07-29 20:09:19 CEST 
Validating, please push to 4 & 5 core/updates.

@ Shlomi: Feel free to validate it yourself once it has been tested on all platforms.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-07-30 23:09:34 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0296.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED