Bug 20121

Fixed on Cauldron!

But for mga5 with our current groovy-1.8.9 seems that this CVE is not needed, it says:

* Unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3

And patch for CVE-2016-6814 conflicts with another/older patch: CVE-2015-3253 (already applied).

Thanks for the fix in Cauldron.

For Mageia 5, I believe they were saying that versions 1.7.0 to 2.4.3 (which includes 1.8.9) *are* affected, but they're not supported, so they're not releasing fixes for those.  Hopefully RedHat or someone will backport it if we can't.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Fedora has issued an advisory for this on January 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GLUK73YU2ETK7USTPIIC4YQT3BYKGEOB/

URL: (none) => https://lwn.net/Vulnerabilities/712297/

RedHat has issued an advisory for this today (August 17):
https://access.redhat.com/errata/RHSA-2017:2486

groovy 1.8.9 is definitely affected, as Fedora is now issuing advisories for it.

Fedora has issued an advisory on August 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A5FSJEOEIYPZDGJRMEPJPMUMDN4MQQJI/

Unfortunately we also have this packaged in Mageia 6 as groovy18.

Version: 5 => Cauldron
Summary: groovy new security issue CVE-2016-6814 => groovy and groovy18 new security issue CVE-2016-6814
Whiteboard: (none) => MGA6TOO, MGA5TOO

pushed in updates_testing
src.rpm:
        groovy18-1.8.9-26.1.mga6
        groovy-1.8.9-5.2.mga5

Assignee: mageia => qa-bugs

Only Cauldron built successfully.

Assignee: qa-bugs => mageia

Updated packages for Mageia 5:
groovy-1.8.9-5.2.mga5
groovy-lib-1.8.9-5.2.mga5
groovy-javadoc-1.8.9-5.2.mga5

from groovy-1.8.9-5.2.mga5.src.rpm

The Mageia 6 build doesn't appear to be going anywhere...

Whiteboard: MGA5TOO => MGA5TOO feedback

mga6 build is finished too

Advisory:
========================

Updated groovy and groovy18 package fixes security vulnerability:

It was found that a flaw in Apache groovy library allows remote code execution
wherever deserialization occurs in the application. It is possible for an
attacker to craft a special serialized object that will execute code directly
when deserialized. All applications which rely on serialization and do not
isolate the code which deserializes objects are subject to this vulnerability
(CVE-2016-6814).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GLUK73YU2ETK7USTPIIC4YQT3BYKGEOB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A5FSJEOEIYPZDGJRMEPJPMUMDN4MQQJI/
========================

Updated packages in core/updates_testing:
========================
groovy-1.8.9-5.2.mga5
groovy-lib-1.8.9-5.2.mga5
groovy-javadoc-1.8.9-5.2.mga5
groovy18-1.8.9-26.1.mga6
groovy18-lib-1.8.9-26.1.mga6
groovy18-javadoc-1.8.9-26.1.mga6

from SRPMS:
groovy-1.8.9-5.2.mga5.src.rpm
groovy18-1.8.9-26.1.mga6.src.rpm

Whiteboard: MGA5TOO feedback => MGA5TOO

mga6  x86_64

I have not been able to figure out any way to connect this with Apache or
deserialization or anything and there are no reproducers available so all we can do is
ensure that the language still works at the commandline level. 

Installed the groovy18 packages from core/updates testing.

Tutorial at https://www.pegasoft.ca/docs/groovy.html

Tried out a few totally trivial scripts:
--------------------------------------------------------------------------------------
// File hello.gvy
class Foo {
   int i = 2;
   void print_i( ) {
      println "The value of i is " + i;
   }
}
Foo f = new Foo( );
f.print_i( );
--------------------------------------------------------------------------------------
// File: hash.groovy
applecart = [ "Bramley":11, "GrannySmith":22, "OrangePippin":28, "GoldenDelicious":15 ];
println "The applecart map looks like this: " + applecart;
println "The class of the map is " + applecart.getClass( );
println "The size of the map is " + applecart.size( );
println "The size of an empty map is " + [:].size( );
grannysmiths = applecart['GrannySmith']
println "The number of Granny Smiths is $grannysmiths";
applecart["OrangePippin"] = 24;
println "There are " + applecart["OrangePippin"] + " OrangePippins left";
println "Peaches there are " + applecart["peach"];

def fruit = applecart['Bramley']

if ( fruit ==~ /^[A-Z].*/ ) {
   println "Looks like these might be apples"
} else {
   println "Cannot be apples"
}
--------------------------------------------------------------------------------------
// File closures.gvy
// Closures

def some_function = { 2 * 2 }

println some_function
println some_function()

some_function = { 2 * it }  // it is a parameter
println some_function( 3 )
--------------------------------------------------------------------------------------
$ groovy hello.gvy
The value of i is 2

$ groovy hash.groovy
The applecart map looks like this: [Bramley:11, GrannySmith:22, OrangePippin:28, GoldenDelicious:15]
The class of the map is class java.util.LinkedHashMap
The size of the map is 4
The size of an empty map is 0
The number of Granny Smiths is 22
There are 24 OrangePippins left
Peaches there are null
Cannot be apples

$ groovy closures.gvy
closures$_run_closure1@d4342c2
4
6

These all look OK although the negative result of the regular expression check gives
cause for concern.  That was the same in the tutorial.

At this primitive level the software works.

CC: (none) => tarazed25

mga5  x86_64

Installed the updates then tested the set of short scripts that were reported in comment 11.  All three yielded the same results but also complained about  the java setup, which should be ignored.

"/usr/bin/build-classpath: Could not find jsp Java extension for this JVM
/usr/bin/build-classpath: error: Some specified jars were not found"

Giving this a pass.

Advisory from Comment 10. Also validating, tested both releases.

CC: (none) => lewyssmith
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK advisory

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0311.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED