FS#72535 : [java8-openjfx java8-openjfx-src] [Security] multiple issues (CVE-2021-3522 CVE-2021-3517)

FS#72535 - [java8-openjfx java8-openjfx-src] [Security] multiple issues (CVE-2021-3522 CVE-2021-3517)

Attached to Project: Arch Linux
Opened by loqs (loqs) - Sunday, 24 October 2021, 22:05 GMT
Last edited by freswa (frederik) - Wednesday, 16 February 2022, 23:38 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Levente Polyak (anthraxx) freswa (frederik)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Leonidas Spyropoulos (inglor) (2022-02-16)
Private	No

Details

Summary
=======

The packages java8-openjfx and java8-openjfx-src are vulnerable to multiple issues including arbitrary code execution and arbitrary filesystem access via CVE-2021-3522 and CVE-2021-3517.

[1] Includes the builds fixes from ~~FS#68008~~ . Plus fix for bundled webkit build failure with gcc 11, by building component with -std=gnu++14.
Applies [2] for CVE-2021-3517. Applies [3] for CVE-2021-3522.

References
==========

https://security.archlinux.org/AVG-2481
https://openjdk.java.net/groups/vulnerability/advisories/2021-10-19
https://www.oracle.com/security-alerts/cpuoct2021verbose.html#JAVA
https://bugzilla.redhat.com/show_bug.cgi?id=1954232
https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
https://gitlab.gnome.org/GNOME/libxml2/-/issues/236
https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
[1] PKGBUILD.diff
[2] https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2.patch
[3] https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/8a88e5c1db05ebadfd4569955f6f47c23cdca3c4.patch

PKGBUILD.diff (5 KiB)

This task depends upon

Closed by freswa (frederik)
Wednesday, 16 February 2022, 23:38 GMT
Reason for closing: Implemented
Additional comments about closing: 8.u202-4 in [staging]

Comment by freswa (frederik) - Wednesday, 16 February 2022, 13:51 GMT

Thank you for the patch. Does this compile for you atm? I'm getting gcc errors...

Comment by loqs (loqs) - Wednesday, 16 February 2022, 22:47 GMT

Embedded webkit fails to build with LTO enabled. Disabled LTO for the component.
java8-openjfx-flags.patch imports the CFLAGS environment variable and splits it into an array using space as the delimiter. This produces unexpected results with the current CFLAGS which has runs of spaces inside it.
Worked around by reformatting CFLAGS variable.

PKGBUILD.diff (14.1 KiB)

Comment by freswa (frederik) - Wednesday, 16 February 2022, 23:37 GMT

Awesome find! Thank you!

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#72535 - [java8-openjfx java8-openjfx-src] [Security] multiple issues (CVE-2021-3522 CVE-2021-3517)

Details

Loading...