Bug 27167

Summary: htmlunit new security issue CVE-2020-5529
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, mageia, sysadmin-bugs, zombie_ryushu
Version: 7Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: htmlunit-2.23-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-08-21 20:43:56 CEST 
Debian-LTS has issued an advisory on August 15:
https://www.debian.org/lts/security/2020/dla-2326

The issue is fixed upstream in 2.37.0.  Debian has a patch.

Mageia 7 is also affected.
David Walser 2020-08-21 20:44:22 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-16 21:13:01 CEST 
Ubuntu has issued an advisory for this on October 15:
https://ubuntu.com/security/notices/USN-4584-1

The package has (mercifully) been removed from Cauldron.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 David Walser 2020-12-07 03:34:15 CET 
*** Bug 27772 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

David Walser 2020-12-28 18:42:29 CET

Status comment: (none) => Patch available from Debian and Ubuntu

Comment 3 Nicolas Lécureuil 2021-03-11 17:47:16 CET 
Patch added in mga7:

src:
   - htmlunit-2.23-2.1.mga7

CC: (none) => mageia
Assignee: java => qa-bugs
Status comment: Patch available from Debian and Ubuntu => (none)

Comment 4 David Walser 2021-03-12 20:42:58 CET 
RPMs:
htmlunit-2.23-2.1.mga7
htmlunit-javadoc-2.23-2.1.mga7
Comment 5 David Walser 2021-03-14 15:47:32 CET 
Advisory:
========================

Updated htmlunit packages fix security vulnerability:

It was discovered that HtmlUnit incorrectly initialized Rhino engine. An
Attacker could possibly use this issue to execute arbitrary Java code
(CVE-2020-5529).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5529
https://ubuntu.com/security/notices/USN-4584-1
Comment 6 Brian Rockwell 2021-03-20 16:24:59 CET 
This worked MGA7-64bit Java 8

here is the code.  Note this takes an incredible number of dependent jars to work.  

Note I used Eclipse

The code

----

package htmlTest;

import com.gargoylesoftware.htmlunit.BrowserVersion;
import com.gargoylesoftware.htmlunit.NicelyResynchronizingAjaxController;
import com.gargoylesoftware.htmlunit.SilentCssErrorHandler;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import java.io.IOException;

public class mageiaPage {

	public static void main(String[] args) throws Exception {
	        WebClient webClient = new WebClient(BrowserVersion.getDefault());
//	        webClient.setCssErrorHandler(new SilentCssErrorHandler());
	        webClient.setAjaxController(new NicelyResynchronizingAjaxController());
	        webClient.getOptions().setCssEnabled(true);
	        webClient.getOptions().setRedirectEnabled(true);
	        webClient.getOptions().setAppletEnabled(true);
	        webClient.getOptions().setJavaScriptEnabled(false);
	        webClient.getOptions().setPopupBlockerEnabled(true);
	        webClient.getOptions().setTimeout(10000);
	        HtmlPage page = webClient.getPage("https://mageia.org");
	        System.out.println(page.asXml());
	        webClient.close();
	}

}

-----  

I ran it through Eclipse after an hour of stackexchanging and adding external jars.  Very cool utility though.

Output is XML

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 7 Thomas Andrews 2021-03-20 18:01:19 CET 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2021-03-21 11:45:32 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0148.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED