Bug 30656

Summary: xalan-j2, bcel new security issue CVE-2022-34169
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: xalan-j2-2.7.2-3.mga8.src.rpm, bcel-6.4.1-2.mga8.src.rpm CVE:
Status comment: Patch available from OpenJDK

Description David Walser 2022-07-20 15:39:57 CEST 
A security issue in the Apache Xalan Java XSLT library has been announced on July 19:
https://www.openwall.com/lists/oss-security/2022/07/19/5

The fix is likely in the commit linked from this message:
https://www.openwall.com/lists/oss-security/2022/07/20/3

which comes from a fix in the July 2022 Oracle CPU for Java:
https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA

Mageia 8 is also affected.
David Walser 2022-07-20 15:41:02 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from OpenJDK

Comment 1 Lewis Smith 2022-07-20 21:06:11 CEST 
Assigning globally in the absence of a visible maintainer.

Assignee: bugsquad => pkg-bugs

David Walser 2022-07-20 21:08:49 CEST

Assignee: pkg-bugs => java

Comment 2 David Walser 2022-10-18 14:35:46 CEST 
Apparently the true source of the bug is bcel:
https://www.openwall.com/lists/oss-security/2022/10/18/2

An upstream commit to fix the issue is linked from the message above.

Summary: xalan-j2 new security issue CVE-2022-34169 => xalan-j2, bcel new security issue CVE-2022-34169
Source RPM: xalan-j2-2.7.2-3.mga8.src.rpm => xalan-j2-2.7.2-3.mga8.src.rpm, bcel-6.4.1-2.mga8.src.rpm

Comment 3 David Walser 2022-10-19 16:31:33 CEST 
(In reply to David Walser from comment #2)
> Apparently the true source of the bug is bcel:
> https://www.openwall.com/lists/oss-security/2022/10/18/2
> 
> An upstream commit to fix the issue is linked from the message above.

Debian has issued an advisory for this on October 18:
https://www.debian.org/security/2022/dsa-5256
Comment 4 David Walser 2022-11-07 20:47:55 CET 
Apache has issued an advisory for this on November 4:
https://www.openwall.com/lists/oss-security/2022/11/04/6

It used a duplicate CVE, CVE-2022-42920:
https://www.openwall.com/lists/oss-security/2022/11/04/8
Comment 5 David Walser 2022-12-02 17:35:52 CET 
openSUSE has issued an advisory for this on December 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NWWNNMR4ZBQI2A3G4VUI5NSF6HJXU7AP/
Comment 6 David Walser 2022-12-12 17:03:32 CET 
Fedora has issued an advisory for this on December 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/
Comment 7 David GEIGER 2023-07-01 19:35:09 CEST 
Fixed in our current bcel-6.5.0-2.mga9 package on cauldron!

Whiteboard: MGA8TOO => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 8

Comment 8 David Walser 2023-07-01 19:44:16 CEST 
Did the commit from Comment 0 ever get added to xalan-j2?
Comment 9 David GEIGER 2023-07-02 07:40:10 CEST 
If I understand correctly this security issue only affect bcel which xalan-j2 depend on it:

From debian:
"Bug is most likely only in bcel which libxalan2-java depends on"


https://github.com/advisories/GHSA-97xg-phpr-rg8q

And commit from Comment 0 is to fix the bcel  bundled copy into openjdk.
Comment 10 Nicolas Salguero 2024-01-12 10:20:31 CET 
Mageia 8 EOL

CC: (none) => nicolas.salguero
Status: NEW => RESOLVED
Resolution: (none) => OLD