[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer trunca
From:       Moritz Muehlenhoff <jmm () inutil ! org>
Date:       2022-07-20 8:49:26
Message-ID: 20220720084926.GA11533 () inutil ! org
[Download RAW message or body]

On Tue, Jul 19, 2022 at 02:21:40PM -0500, John Helmert III wrote:
> On Tue, Jul 19, 2022 at 05:37:46PM +0000, Mark J. Cox wrote:
> > Description:
> > 
> > The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when \
> > processing malicious XSLT stylesheets. This can be used to corrupt Java class files \
> > generated by the internal XSLTC compiler and execute arbitrary Java bytecode. 
> > The Apache Xalan Java project is dormant and in the process of being retired. No future \
> > releases of Apache Xalan Java to address this issue are expected. 
> > Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
> > 
> > Credit:
> > 
> > Reported by Felix Wilhelm, Google Project Zero
> > 
> > References:
> > 
> > https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
> > 
> 
> Hi, is there any available patch or bug report? The reference here
> only seems to be a discussion of the retirement of xalan-j, rather
> than the vulnerability.

This seems to be the patch for the Xalan copy vendored in OpenJDK:
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297

Cheers,
        Moritz


[prev in list] [next in list] [prev in thread] [next in thread]