A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
CVE: (none) => CVE-2020-8908
Summary: guava security vulnerability CVE-2020-8908 => guava new security issue CVE-2020-8908Assignee: bugsquad => javaWhiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 30.0
See the link to the upstream commit to fix this issue linked from these: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8908 https://bugzilla.redhat.com/show_bug.cgi?id=1906919
Status comment: Fixed upstream in 30.0 => Patch available from upstream
It sounds like this *may* not be a real issue with Java 7 or later. Patched packages uploaded by Nicolas for Mageia 7 and Cauldron. Advisory: ======================== Updated guava packages fix security vulnerability: A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open (CVE-2020-8908). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 ======================== Updated packages in core/updates_testing: ======================== guava-25.0-2.1.mga7 guava-javadoc-25.0-2.1.mga7 guava-testlib-25.0-2.1.mga7 from guava-25.0-2.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Status comment: Patch available from upstream => (none)Version: Cauldron => 7CC: (none) => mageiaAssignee: java => qa-bugs
The following 3 packages are going to be installed: - guava-25.0-2.1.mga7.noarch - guava-javadoc-25.0-2.1.mga7.noarch - jsr-305-1-0.18.20130910svn.2.mga7.noarch This places are jar file in /usr/share/java/guava - - - I installed eclipse and wrote a program using a single class from guava (splitter) package brianSplit; import com.google.common.base.Splitter; public class Splitme { public static void main(String[] args) { // TODO Auto-generated method stub System.out.println(Splitter.on(',').split("Brian, and someone else")); } } working from what I can tell.
Whiteboard: (none) => MGA7-64-OKCC: (none) => brtians1
Keywords: (none) => advisory, validated_updateSource RPM: guava-25.0-4.mga8.src.rpm => guava-25.0-2.mga7.src.rpmCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0021.html
Status: NEW => RESOLVEDResolution: (none) => FIXED