Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-2976 has not been fixed on f40 #129

Closed
jackchan-x opened this issue Oct 23, 2023 · 4 comments
Closed

CVE-2023-2976 has not been fixed on f40 #129

jackchan-x opened this issue Oct 23, 2023 · 4 comments

Comments

@jackchan-x
Copy link

Hello, a vulnerability CVE-2023-2976 was recently reported in Guava. The upstream community suggests upgrading to version 32.0.1, but the latest version in Fedora is still 31.1 and there is no patch to fix this vulnerability in Fedora. May I ask why Fedora has not fixed this vulnerability?
References:
@mizdebsk
Copy link
Member

First, Fedora bugs are tracked in Red Hat Bugzilla at https://bugzilla.redhat.com/.
In case of CVE-2023-2976, the bugs are:

We are planning to fix the issue in Fedora, but it has moderate severity, so it was preempted by more important work.

As for javapackages-bootstrap, the use of guava is very limited and therefore has low severity. It will be fixed eventually by updating Guava to newer version, but it's not a priority for the project.

@jackchan-x
Copy link
Author

jackchan-x commented Oct 23, 2023
edited

First, Fedora bugs are tracked in Red Hat Bugzilla at https://bugzilla.redhat.com/. In case of CVE-2023-2976, the bugs are:

We are planning to fix the issue in Fedora, but it has moderate severity, so it was preempted by more important work.

As for javapackages-bootstrap, the use of guava is very limited and therefore has low severity. It will be fixed eventually by updating Guava to newer version, but it's not a priority for the project.

Thanks.

@rikenm1
Copy link

rikenm1 commented Mar 22, 2024
edited

Hi Fedora Java Team,
We are using a very old jpb-bootstrap version in Azure Linux i.e 1.5.0. I was updating the source to guava source 32.1.3 for this exact CVE.
I updated the guava.xml and guava.properties in projects. 1.5.0 did not have jurand hence I had to still use the older guava.properties from 1.5.0 .
The build fails at the guava compilation stage. Ant stage went fine. There is no log or anything to debug this error.

time="2024-03-22T15:00:01Z" level=debug msg="guava: compiler"
time="2024-03-22T15:00:02Z" level=debug msg="Failed to execute tool compiler on module guava: Compilation failed"
time="2024-03-22T15:00:02Z" level=debug msg="BUILD FAILURE"

As it failed during the compile time/compiler tool, It may be jsr-305 version incompatibility with guava that is causing it (EDIT: looks like this is fine 3.0.2). I have updated other sources which did not have this issue. Any help is appreciated.

<project>
  <licensing>
    <tag>ASL 2.0 and CC0</tag>
  </licensing>
  <module>
    <dependency>jsr-305</dependency>
    <build>
      <ant>
        <run>
          [copy todir="${generatedSources}"]
            [fileset dir="${basedir}/guava/src"/]
            [fileset dir="${basedir}/futures/failureaccess/src"/]
          [/copy]
          [fileset id="java_source_files" dir="${generatedSources}"]
            [include name="**/*.java"/]
          [/fileset]
          [replaceregexp flags="g"]
            [regexp pattern="import org\.checkerframework.*;"/]
            [substitution expression=""/]
            [fileset refid="java_source_files"/]
          [/replaceregexp]
          [replaceregexp flags="g"]
            [regexp pattern="import com\.google.*\.annotations.*;"/]
            [substitution expression=""/]
            [fileset refid="java_source_files"/]
          [/replaceregexp]
          <!-- Match multi-line annnotations with parentheses. -->
          [replaceregexp flags="sg"]
            [regexp pattern="@[[a-zA-A\.]]*DoNotMock\(.*?\)\n"/]
            [substitution expression=""/]
            [fileset refid="java_source_files"/]
          [/replaceregexp]
          <!-- Match single-line annnotations with parentheses. -->
          [replaceregexp flags="sg"]
            [regexp pattern="(@GwtCompatible|@GwtIncompatible|@VisibleForTesting|@Immutable|@CompatibleWith|@ReflectionSupport|@GuardedBy|@DoNotCall)\(.*\)"/]
            [substitution expression=""/]
            [fileset refid="java_source_files"/]
          [/replaceregexp]
          <!-- Match one-word annotations i. e. not using parentheses -->
          [replaceregexp flags="g"]
            [regexp pattern="(@Beta|@GwtCompatible|@DoNotMock|@Nullable|@GwtIncompatible|@MonotonicNonNull|@WeakOuter|@VisibleForTesting|@Immutable|@CanIgnoreReturnValue|@NonNull|@J2ObjCIncompatible|@LazyInit|@RetainedWith|@ForOverride|@Weak|@MustBeClosed|@CheckReturnValue|@OverridingMethodsMustInvokeSuper)"/]
            [substitution expression=""/]
            [fileset refid="java_source_files"/]
          [/replaceregexp]
        </run>
      </ant>
      <compiler>
        <excludeSourceClass>com/google/common/cache/Striped64</excludeSourceClass>
        <excludeSourceClass>com/google/common/cache/LongAdder</excludeSourceClass>
        <excludeSourceClass>com/google/common/hash/Striped64</excludeSourceClass>
        <excludeSourceClass>com/google/common/hash/LongAdder</excludeSourceClass>
      </compiler>
    </build>
  </module>
</project>

@rikenm1
Copy link

rikenm1 commented Mar 22, 2024
edited

Using jurand solves this. Probably new annotations were added which are not replaced I guess.
I still do not know why we are replacing all these annotations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mizdebsk @jackchan-x @rikenm1