Bug 30541 - google-gson new security issue CVE-2022-25647
Summary: google-gson new security issue CVE-2022-25647
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-06-12 00:35 CEST by David Walser
Modified: 2022-09-21 20:16 CEST (History)
6 users (show)

See Also:
Source RPM: google-gson-2.8.6-1.mga8.src.rpm
CVE: CVE-2022-25647
Status comment:


Attachments

Description David Walser 2022-06-12 00:35:00 CEST
openSUSE has issued an advisory on June 10:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GA6JLF7SGHTXIPP5ONV5N4ECGGCVIYYM/

The issue is fixed upstream in 2.8.9.

Mageia 8 is also affected.
David Walser 2022-06-12 00:35:15 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.8.9

Comment 1 Lewis Smith 2022-06-13 21:33:43 CEST
This is officially with neoclust, but daviddavid most recently commited it - but ages ago. With this uncertainty, assigning this globally; CC'ing NicolasL.

CC: (none) => mageia
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-09-07 19:03:19 CEST
Debian-LTS has issued an advisory for this today (September 7):
https://www.debian.org/lts/security/2022/dla-3100
Comment 3 David Walser 2022-09-08 14:26:19 CEST
Debian has issued an advisory for this on September 7:
https://www.debian.org/security/2022/dsa-5227
Comment 4 Nicolas Salguero 2022-09-09 10:01:24 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. (CVE-2022-25647)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GA6JLF7SGHTXIPP5ONV5N4ECGGCVIYYM/
https://www.debian.org/lts/security/2022/dla-3100
https://www.debian.org/security/2022/dsa-5227
========================

Updated packages in core/updates_testing:
========================
google-gson-2.8.6-1.1.mga8
google-gson-javadoc-2.8.6-1.1.mga8

from SRPM:
google-gson-2.8.6-1.1.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2022-25647
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 2.8.9 => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 5 Len Lawrence 2022-09-18 17:01:19 CEST
Started to look at this and found a tutorial at TutorialsPoint.  The helloworld test script requires java-11-openjdk-devel for javac, easily installed, but the program itself looks for GsonBuilder and GsonTester which do not seem to be available.  Is there a development package to go with this update?

$ urpmq --whatrequires google-gson
eclipse-cdt
eclipse-cdt-native
google-gson
jgit
lightcouch
protobuf-java-util

Installed lightcouch.
$ less /usr/share/doc/lightcouch/README.md

CouchDB Java API
================
A Java _client_ for [CouchDB](http://couchdb.apache.org/) database.
* Homepage: <http://lightcouch.org/> 

Not going to touch that.
The helloworld route seems the best bet.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2022-09-18 17:30:49 CEST
Trying to learn java at the same time.  CLASSPATH needs to be set:
$ export GSON_HOME="/usr/share/java/google-gson"
$ export CLASSPATH="$GSON_HOME/gson.jar"
$ javac GsonTester.java
$ ls
GsonTester.class  GsonTester.java  Student.class
$ java GsonTester.java
Student [ name: Mahesh, age: 21 ]
{
  "name": "Mahesh",
  "age": 21
}

Expected result.

mga8, x64
Updated packages via qarepo...

$ rm -f *.class
Repeated the compilation and test with identical results.
Not much of a test but it shall have to do.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2022-09-19 01:36:49 CEST
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-20 22:23:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2022-09-21 20:16:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0340.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.