Bug 27167 - htmlunit new security issue CVE-2020-5529
Summary: htmlunit new security issue CVE-2020-5529
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
: 27772 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-08-21 20:43 CEST by David Walser
Modified: 2021-03-21 11:45 CET (History)
5 users (show)

See Also:
Source RPM: htmlunit-2.23-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-08-21 20:43:56 CEST
Debian-LTS has issued an advisory on August 15:
https://www.debian.org/lts/security/2020/dla-2326

The issue is fixed upstream in 2.37.0.  Debian has a patch.

Mageia 7 is also affected.
David Walser 2020-08-21 20:44:22 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-16 21:13:01 CEST
Ubuntu has issued an advisory for this on October 15:
https://ubuntu.com/security/notices/USN-4584-1

The package has (mercifully) been removed from Cauldron.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 David Walser 2020-12-07 03:34:15 CET
*** Bug 27772 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

David Walser 2020-12-28 18:42:29 CET

Status comment: (none) => Patch available from Debian and Ubuntu

Comment 3 Nicolas Lécureuil 2021-03-11 17:47:16 CET
Patch added in mga7:

src:
   - htmlunit-2.23-2.1.mga7

CC: (none) => mageia
Assignee: java => qa-bugs
Status comment: Patch available from Debian and Ubuntu => (none)

Comment 4 David Walser 2021-03-12 20:42:58 CET
RPMs:
htmlunit-2.23-2.1.mga7
htmlunit-javadoc-2.23-2.1.mga7
Comment 5 David Walser 2021-03-14 15:47:32 CET
Advisory:
========================

Updated htmlunit packages fix security vulnerability:

It was discovered that HtmlUnit incorrectly initialized Rhino engine. An
Attacker could possibly use this issue to execute arbitrary Java code
(CVE-2020-5529).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5529
https://ubuntu.com/security/notices/USN-4584-1
Comment 6 Brian Rockwell 2021-03-20 16:24:59 CET
This worked MGA7-64bit Java 8

here is the code.  Note this takes an incredible number of dependent jars to work.  

Note I used Eclipse

The code

----

package htmlTest;

import com.gargoylesoftware.htmlunit.BrowserVersion;
import com.gargoylesoftware.htmlunit.NicelyResynchronizingAjaxController;
import com.gargoylesoftware.htmlunit.SilentCssErrorHandler;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import java.io.IOException;

public class mageiaPage {

	public static void main(String[] args) throws Exception {
	        WebClient webClient = new WebClient(BrowserVersion.getDefault());
//	        webClient.setCssErrorHandler(new SilentCssErrorHandler());
	        webClient.setAjaxController(new NicelyResynchronizingAjaxController());
	        webClient.getOptions().setCssEnabled(true);
	        webClient.getOptions().setRedirectEnabled(true);
	        webClient.getOptions().setAppletEnabled(true);
	        webClient.getOptions().setJavaScriptEnabled(false);
	        webClient.getOptions().setPopupBlockerEnabled(true);
	        webClient.getOptions().setTimeout(10000);
	        HtmlPage page = webClient.getPage("https://mageia.org");
	        System.out.println(page.asXml());
	        webClient.close();
	}

}

-----  

I ran it through Eclipse after an hour of stackexchanging and adding external jars.  Very cool utility though.

Output is XML

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 7 Thomas Andrews 2021-03-20 18:01:19 CET
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2021-03-21 11:45:32 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0148.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.