Bug 10817 - openjpa new security issue CVE-2013-1768
: openjpa new security issue CVE-2013-1768
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/560007/
: MGA2TOO has_procedure mga3-32-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-22 19:44 CEST by David Walser
Modified: 2013-10-05 20:01 CEST (History)
3 users (show)

See Also:
Source RPM: openjpa-2.2.1-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-22 19:44:28 CEST
Fedora has issued an advisory on July 14:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112029.html

The issue is fixed upstream in 2.2.2.

There are also patches available from Fedora.

Patch for 2.2.1 (version in Cauldron):
http://pkgs.fedoraproject.org/cgit/openjpa.git/tree/openjpa-CVE-2013-1768.patch?h=f19&id=2264b233a2441c6aed901a11499955b42ed46806

Patch for 2.2.0 (version in Mageia 3):
http://pkgs.fedoraproject.org/cgit/openjpa.git/tree/openjpa-2.2.0-CVE-2013-1768.patch?h=f18&id=0088d052b69f5b36b2af335469c3dd7fe07845f3

No patch available for 2.0.0 (version in Mageia 2).

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-22 23:40:15 CEST
Fixed in Cauldron in openjpa-2.2.1-3.mga4.

Patched package uploaded for Mageia 3, openjpa-2.2.0-3.1.mga3, which provides:
openjpa-2.2.0-3.1.mga3
openjpa-tools-2.2.0-3.1.mga3
openjpa-javadoc-2.2.0-3.1.mga3

I found an upstream patch for 2.0.0 for Mageia 2 linked from here:
http://seclists.org/fulldisclosure/2013/Jun/98

I added it in SVN, but it fails to build with this patch:
http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130822211956.luigiwalser.valstar.387/log/openjpa-2.0.0-1.1.mga2/build.0.20130822212005.log
Comment 2 David Walser 2013-08-27 23:01:47 CEST
I don't know if it's important, but the patches to 2.2.0 and 2.2.1 have a change to openjpa-slice/src/main/java/org/apache/openjpa/slice/jdbc/DistributedJDBCConfigurationImpl.java that isn't in the patch for 2.0.0 (the rest of the patches are the same):
@@ -260,7 +260,7 @@

     public QueryTargetPolicy getQueryTargetPolicyInstance() {
         if (queryTargetPolicyPlugin.get() == null) {
-            queryTargetPolicyPlugin.instantiate(ReplicationPolicy.class,
+            queryTargetPolicyPlugin.instantiate(QueryTargetPolicy.class,
                     this, true);
         }
         return (QueryTargetPolicy) queryTargetPolicyPlugin.get();

I don't think that's the cause of the build error though, that looks like maybe a missing BuildRequires.
Comment 3 D Morgan 2013-09-30 11:33:31 CEST
built OK, ready for QA
Comment 4 David Walser 2013-10-01 00:32:01 CEST
Thanks D Morgan!

Advisory:
========================

Updated openjpa packages fix security vulnerability:

The BrokerFactory functionality in Apache OpenJPA before 2.2.2 creates local
executable JSP files containing logging trace data produced during
deserialization of certain crafted OpenJPA objects, which makes it easier for
remote attackers to execute arbitrary code by creating a serialized object and
leveraging improperly secured server programs (CVE-2013-1768).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112029.html
========================

Updated packages in core/updates_testing:
========================
openjpa-2.0.0-1.1.mga2
openjpa-javadoc-2.0.0-1.1.mga2
openjpa-2.2.0-3.1.mga3
openjpa-tools-2.2.0-3.1.mga3
openjpa-javadoc-2.2.0-3.1.mga3

from SRPMS:
openjpa-2.0.0-1.1.mga2.src.rpm
openjpa-2.2.0-3.1.mga3.src.rpm
Comment 5 claire robinson 2013-10-03 16:45:53 CEST
No PoC and requires java programming knowledge to test. Ensuring it updates without issues should be enough in this case.
Comment 6 claire robinson 2013-10-04 11:02:51 CEST
Testing complete mga3 32 & 64
Comment 7 claire robinson 2013-10-04 11:21:37 CEST
Testing complete mga2 32 & 64
Comment 8 claire robinson 2013-10-04 11:27:57 CEST
Validating. Advisory 10817.adv uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!
Comment 9 Thomas Backlund 2013-10-05 20:01:31 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0292.html

Note You need to log in before you can comment on or make changes to this bug.