| Summary: | google-gson new security issue CVE-2022-25647 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, mageia, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | google-gson-2.8.6-1.mga8.src.rpm | CVE: | CVE-2022-25647 |
| Status comment: | |||
|
Description
David Walser
2022-06-12 00:35:00 CEST
David Walser
2022-06-12 00:35:15 CEST
Whiteboard:
(none) =>
MGA8TOO This is officially with neoclust, but daviddavid most recently commited it - but ages ago. With this uncertainty, assigning this globally; CC'ing NicolasL. CC:
(none) =>
mageia Debian-LTS has issued an advisory for this today (September 7): https://www.debian.org/lts/security/2022/dla-3100 Debian has issued an advisory for this on September 7: https://www.debian.org/security/2022/dsa-5227 Suggested advisory: ======================== The updated packages fix a security vulnerability: The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. (CVE-2022-25647) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GA6JLF7SGHTXIPP5ONV5N4ECGGCVIYYM/ https://www.debian.org/lts/security/2022/dla-3100 https://www.debian.org/security/2022/dsa-5227 ======================== Updated packages in core/updates_testing: ======================== google-gson-2.8.6-1.1.mga8 google-gson-javadoc-2.8.6-1.1.mga8 from SRPM: google-gson-2.8.6-1.1.mga8.src.rpm Version:
Cauldron =>
8 Started to look at this and found a tutorial at TutorialsPoint. The helloworld test script requires java-11-openjdk-devel for javac, easily installed, but the program itself looks for GsonBuilder and GsonTester which do not seem to be available. Is there a development package to go with this update? $ urpmq --whatrequires google-gson eclipse-cdt eclipse-cdt-native google-gson jgit lightcouch protobuf-java-util Installed lightcouch. $ less /usr/share/doc/lightcouch/README.md CouchDB Java API ================ A Java _client_ for [CouchDB](http://couchdb.apache.org/) database. * Homepage: <http://lightcouch.org/> Not going to touch that. The helloworld route seems the best bet. CC:
(none) =>
tarazed25 Trying to learn java at the same time. CLASSPATH needs to be set:
$ export GSON_HOME="/usr/share/java/google-gson"
$ export CLASSPATH="$GSON_HOME/gson.jar"
$ javac GsonTester.java
$ ls
GsonTester.class GsonTester.java Student.class
$ java GsonTester.java
Student [ name: Mahesh, age: 21 ]
{
"name": "Mahesh",
"age": 21
}
Expected result.
mga8, x64
Updated packages via qarepo...
$ rm -f *.class
Repeated the compilation and test with identical results.
Not much of a test but it shall have to do.Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 4. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-09-20 22:23:40 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0340.html Status:
ASSIGNED =>
RESOLVED |