Bug 27965

Summary: guava new security issue CVE-2020-8908
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-8908
Whiteboard: MGA7-64-OK
Source RPM: guava-25.0-2.mga7.src.rpm CVE: CVE-2020-8908
Status comment:

Description Zombie Ryushu 2020-12-29 06:50:44 CET 
A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
Zombie Ryushu 2020-12-29 06:50:58 CET

CVE: (none) => CVE-2020-8908

David Walser 2020-12-29 17:02:28 CET

Summary: guava security vulnerability CVE-2020-8908 => guava new security issue CVE-2020-8908
Assignee: bugsquad => java
Whiteboard: (none) => MGA7TOO

David Walser 2020-12-29 17:31:00 CET

Status comment: (none) => Fixed upstream in 30.0

Comment 1 David Walser 2020-12-29 17:33:31 CET 
See the link to the upstream commit to fix this issue linked from these:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8908
https://bugzilla.redhat.com/show_bug.cgi?id=1906919

Status comment: Fixed upstream in 30.0 => Patch available from upstream

Comment 2 David Walser 2020-12-30 17:50:48 CET 
It sounds like this *may* not be a real issue with Java 7 or later.

Patched packages uploaded by Nicolas for Mageia 7 and Cauldron.

Advisory:
========================

Updated guava packages fix security vulnerability:

A temp directory creation vulnerability exist in Guava versions prior to 30.0
allowing an attacker with access to the machine to potentially access data in a
temporary directory created by the Guava
com.google.common.io.Files.createTempDir(). The permissions granted to the
directory created default to the standard unix-like /tmp ones, leaving the
files open (CVE-2020-8908).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
========================

Updated packages in core/updates_testing:
========================
guava-25.0-2.1.mga7
guava-javadoc-25.0-2.1.mga7
guava-testlib-25.0-2.1.mga7

from guava-25.0-2.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Status comment: Patch available from upstream => (none)
Version: Cauldron => 7
CC: (none) => mageia
Assignee: java => qa-bugs

Comment 3 Brian Rockwell 2021-01-10 03:05:20 CET 
The following 3 packages are going to be installed:

- guava-25.0-2.1.mga7.noarch
- guava-javadoc-25.0-2.1.mga7.noarch
- jsr-305-1-0.18.20130910svn.2.mga7.noarch


This places are jar file in /usr/share/java/guava

- - -

I installed eclipse and wrote a program using a single class from guava (splitter)

package brianSplit;

import com.google.common.base.Splitter;

public class Splitme {

	public static void main(String[] args) {
		// TODO Auto-generated method stub
		System.out.println(Splitter.on(',').split("Brian, and someone else"));

	}

}

working from what I can tell.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Aurelien Oudelet 2021-01-10 18:08:10 CET

Keywords: (none) => advisory, validated_update
Source RPM: guava-25.0-4.mga8.src.rpm => guava-25.0-2.mga7.src.rpm
CC: (none) => ouaurelien, sysadmin-bugs

Comment 4 Mageia Robot 2021-01-10 20:47:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0021.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED