Bug 27555 - junit new security issue CVE-2020-15250
Summary: junit new security issue CVE-2020-15250
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-02 18:21 CET by David Walser
Modified: 2020-11-08 15:15 CET (History)
5 users (show)

See Also:
Source RPM: junit-4.13-2.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 4.13.1

Attachments
Primary test file (197 bytes, text/plain)
2020-11-07 11:32 CET, Herman Viaene 		Details
To test the test file (267 bytes, text/plain)
2020-11-07 11:33 CET, Herman Viaene 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-11-02 18:21:47 CET 
Debian-LTS has issued an advisory on November 1:
https://www.debian.org/lts/security/2020/dla-2426

The issue is fixed upstream in 4.13.1:
https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp

Mageia 7 is also affected.
David Walser 2020-11-02 18:22:03 CET

Status comment: (none) => Fixed upstream in 4.13.1
Whiteboard: (none) => MGA7TOO

Comment 1 Mike Rambo 2020-11-05 15:27:14 CET 
Upgraded cauldron to version 4.13.1.


Patched package uploaded for Mageia 7.

Advisory:
========================

Updated junit package fixes security vulnerability:

It was discovered that junit contained a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability (CVE-2020-15250).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250
https://www.debian.org/lts/security/2020/dla-2426
========================

Updated packages in core/updates_testing:
========================
junit-4.12-7.1.mga7.noarch.rpm
junit-javadoc-4.12-7.1.mga7.noarch.rpm
junit-manual-4.12-7.1.mga7.noarch.rpm

from junit-4.12-7.1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: java => qa-bugs
CC: (none) => mrambo

Comment 2 Herman Viaene 2020-11-07 11:31:47 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Found https://github.com/junit-team/junit4/wiki/Getting-started for testing, just limiited myself to the  successfull test.
I will upload the test files, but for future reference: don't forget to copy the jar's to the working directory.
$ javac Calculator.java

$ javac -cp .:junit.jar:core.jar CalculatorTest.java


$ java -cp .:junit.jar:core.jar org.junit.runner.JUnitCore CalculatorTest
JUnit version 4.12
.
Time: 0.021

OK (1 test)

OK'ing unless someone else has another idea.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Herman Viaene 2020-11-07 11:32:45 CET 
Created attachment 11980 [details]
Primary test file
Comment 4 Herman Viaene 2020-11-07 11:33:20 CET 
Created attachment 11981 [details]
To test the test file
Comment 5 Thomas Andrews 2020-11-07 22:35:28 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2020-11-08 11:44:47 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-11-08 15:15:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0403.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.