Bug 30656 - xalan-j2, bcel new security issue CVE-2022-34169
Summary: xalan-j2, bcel new security issue CVE-2022-34169
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Java Stack Maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-20 15:39 CEST by David Walser
Modified: 2024-01-12 10:20 CET (History)
2 users (show)

See Also:
Source RPM: xalan-j2-2.7.2-3.mga8.src.rpm, bcel-6.4.1-2.mga8.src.rpm
CVE:
Status comment: Patch available from OpenJDK

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-07-20 15:39:57 CEST 
A security issue in the Apache Xalan Java XSLT library has been announced on July 19:
https://www.openwall.com/lists/oss-security/2022/07/19/5

The fix is likely in the commit linked from this message:
https://www.openwall.com/lists/oss-security/2022/07/20/3

which comes from a fix in the July 2022 Oracle CPU for Java:
https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA

Mageia 8 is also affected.
David Walser 2022-07-20 15:41:02 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from OpenJDK

Comment 1 Lewis Smith 2022-07-20 21:06:11 CEST 
Assigning globally in the absence of a visible maintainer.

Assignee: bugsquad => pkg-bugs

David Walser 2022-07-20 21:08:49 CEST

Assignee: pkg-bugs => java

Comment 2 David Walser 2022-10-18 14:35:46 CEST 
Apparently the true source of the bug is bcel:
https://www.openwall.com/lists/oss-security/2022/10/18/2

An upstream commit to fix the issue is linked from the message above.

Summary: xalan-j2 new security issue CVE-2022-34169 => xalan-j2, bcel new security issue CVE-2022-34169
Source RPM: xalan-j2-2.7.2-3.mga8.src.rpm => xalan-j2-2.7.2-3.mga8.src.rpm, bcel-6.4.1-2.mga8.src.rpm

Comment 3 David Walser 2022-10-19 16:31:33 CEST 
(In reply to David Walser from comment #2)
> Apparently the true source of the bug is bcel:
> https://www.openwall.com/lists/oss-security/2022/10/18/2
> 
> An upstream commit to fix the issue is linked from the message above.

Debian has issued an advisory for this on October 18:
https://www.debian.org/security/2022/dsa-5256
Comment 4 David Walser 2022-11-07 20:47:55 CET 
Apache has issued an advisory for this on November 4:
https://www.openwall.com/lists/oss-security/2022/11/04/6

It used a duplicate CVE, CVE-2022-42920:
https://www.openwall.com/lists/oss-security/2022/11/04/8
Comment 5 David Walser 2022-12-02 17:35:52 CET 
openSUSE has issued an advisory for this on December 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NWWNNMR4ZBQI2A3G4VUI5NSF6HJXU7AP/
Comment 6 David Walser 2022-12-12 17:03:32 CET 
Fedora has issued an advisory for this on December 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/
Comment 7 David GEIGER 2023-07-01 19:35:09 CEST 
Fixed in our current bcel-6.5.0-2.mga9 package on cauldron!

Whiteboard: MGA8TOO => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 8

Comment 8 David Walser 2023-07-01 19:44:16 CEST 
Did the commit from Comment 0 ever get added to xalan-j2?
Comment 9 David GEIGER 2023-07-02 07:40:10 CEST 
If I understand correctly this security issue only affect bcel which xalan-j2 depend on it:

From debian:
"Bug is most likely only in bcel which libxalan2-java depends on"


https://github.com/advisories/GHSA-97xg-phpr-rg8q

And commit from Comment 0 is to fix the bcel  bundled copy into openjdk.
Comment 10 Nicolas Salguero 2024-01-12 10:20:31 CET 
Mageia 8 EOL

CC: (none) => nicolas.salguero
Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.