FS#72535 - [java8-openjfx java8-openjfx-src] [Security] multiple issues (CVE-2021-3522 CVE-2021-3517)

Attached to Project: Arch Linux
Opened by loqs (loqs) - Sunday, 24 October 2021, 22:05 GMT
Last edited by freswa (frederik) - Wednesday, 16 February 2022, 23:38 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
freswa (frederik)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No



The packages java8-openjfx and java8-openjfx-src are vulnerable to multiple issues including arbitrary code execution and arbitrary filesystem access via CVE-2021-3522 and CVE-2021-3517.

[1] Includes the builds fixes from  FS#68008 . Plus fix for bundled webkit build failure with gcc 11, by building component with -std=gnu++14.
Applies [2] for CVE-2021-3517. Applies [3] for CVE-2021-3522.


[1] PKGBUILD.diff
[2] https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2.patch
[3] https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/8a88e5c1db05ebadfd4569955f6f47c23cdca3c4.patch
This task depends upon

Closed by  freswa (frederik)
Wednesday, 16 February 2022, 23:38 GMT
Reason for closing:  Implemented
Additional comments about closing:  8.u202-4 in [staging]
Comment by freswa (frederik) - Wednesday, 16 February 2022, 13:51 GMT
Thank you for the patch. Does this compile for you atm? I'm getting gcc errors...
Comment by loqs (loqs) - Wednesday, 16 February 2022, 22:47 GMT
Embedded webkit fails to build with LTO enabled. Disabled LTO for the component.
java8-openjfx-flags.patch imports the CFLAGS environment variable and splits it into an array using space as the delimiter. This produces unexpected results with the current CFLAGS which has runs of spaces inside it.
Worked around by reformatting CFLAGS variable.
Comment by freswa (frederik) - Wednesday, 16 February 2022, 23:37 GMT
Awesome find! Thank you!