[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary byt
From:       John Helmert III <ajak () gentoo ! org>
Date:       2022-11-07 17:35:04
Message-ID: Y2lByE1FNVw3z/L8 () gentoo ! org
[Download RAW message or body]


Copying Apache's CNA address and original sender. The new CVE is now
public.

On Fri, Nov 04, 2022 at 03:54:46PM -0500, John Helmert III wrote:
> On Fri, Nov 04, 2022 at 05:35:34PM +0000, Gary D. Gregory wrote:
> > Description:
> > 
> > Apache Commons BCEL has a number of APIs that would normally only allow changing specific \
> > class characteristics. However, due to an out-of-bounds writing issue, these APIs can be \
> > used to produce arbitrary bytecode. This could be abused in applications that pass \
> > attacker-controllable data to those APIs, giving the attacker more control over the \
> > resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0. 
> > This issue is being tracked as BCEL-363
> > 
> > Credit:
> > 
> > Reported by Felix Wilhelm (Google); GitHub pull request to Apache Commons BCEL #147 by \
> > Richard Atkins (https://github.com/rjatkins); PR derived from OpenJDK \
> > (https://github.com/openjdk/jdk11u/) commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by \
> > Aleksei Voitylov and RealCLanger (Christoph Langer https://github.com/RealCLanger) 
> 
> This appears to be a duplicate of CVE-2022-34169 (also issued by the
> Apache CNA), and previously discussed on this list at [1]. It was
> eventually reported to the list that the vulnerability was actually in
> bcel [2].
> 
> [1] https://www.openwall.com/lists/oss-security/2022/07/19/5
> [2] https://www.openwall.com/lists/oss-security/2022/10/18/2


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]