575982 – Add / Replace io.github.classgraph with a newer version

Bug 575982 - Add / Replace io.github.classgraph with a newer version

Summary: Add / Replace io.github.classgraph with a newer version

Status:	NEW

Alias:	None

Product:	Orbit
Classification:	Tools
Component:	bundles (show other bugs)
Version:	unspecified
Hardware:	PC Mac OS X

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Orbit Bundles
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-09-14 15:49 EDT by Martin D'Aloia
Modified:	2021-09-30 12:06 EDT (History)
CC List:	2 users (show)

See Also:	Gerrit Change Git Commit

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin D'Aloia

2021-09-14 15:49:07 EDT

Currently exists in Orbit 4.8.35.v20190528-1517 which is used by Xtext [1] at least.

This version is open to a XXE which was fixed with this PR [2] and released on version 4.8.112 [3]. The current latest version at this time is 4.8.116


Explanation:

The classgraph package is vulnerable to XML eXternal Entity (XXE) attacks. The getVersion() method in the VersionFinder class processes malicious external entities by default due to an unsafe XML parser configuration when reading the pom.xml file to determine the Classgraph version. A remote attacker can exploit this vulnerability by supplying XML data with a Document Type Definition (DTD) that contains malicious external entity references. These references may be leveraged by the attacker to exfiltrate sensitive information, cause a Denial of Service (DoS) condition, or to perform other XXE related attacks.


[1]: https://github.com/eclipse/xtext-extras/blob/3f1e0cccba86a101ea1479fea75895071a4c92c9/releng/releng-target/xtext-extras.target.target#L25
[2]: https://github.com/classgraph/classgraph/pull/539
[3]: https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112

Comment 1 Martin D'Aloia

2021-09-14 16:11:56 EDT

I was changing the version to 4.8.116 but I see that there is a file src/eclipse/ip_log.xml with the former version and a IPZilla bug id.

Should a new one be created right?

For what I see here [1] "Only Eclipse committers can use IPZilla"

Thanks in advance

[1]: https://dev.eclipse.org/ipzilla/

Comment 2 Christian Dietrich

2021-09-15 04:18:41 EDT

do we need CQ for patch releases too ?!?

Comment 3 Eclipse Genie

2021-09-15 04:27:27 EDT

New Gerrit change created: https://git.eclipse.org/r/c/orbit/orbit-recipes/+/185453

Comment 4 Gunnar Wagenknecht

2021-09-15 07:11:06 EDT

For patch updates no CQ is required.

Comment 5 Martin D'Aloia

2021-09-15 13:43:24 EDT

Thanks Christian and Gunnar!

Didn't know it wasn't required.

I was about to replace it instead of adding a new one... mostly to prevent providing/using it when it has a known vulnerability.

As future reference, is there any policy/guidance on when to add or replace a version?

Thanks in advance!

Comment 6 Christian Dietrich

2021-09-15 13:46:33 EDT

the policy is to keep only the latest version on a patch level.
so in this case it would be a remove.
but i know how the exact process for removal is,
thus i PRed the add

Comment 7 Christian Dietrich

2021-09-29 00:51:26 EDT

unfortunately no response from committers yet
Updated PR to 4.8.117

Comment 8 Eclipse Genie

2021-09-30 12:06:15 EDT

Gerrit change https://git.eclipse.org/r/c/orbit/orbit-recipes/+/185453 was merged to [master].
Commit: http://git.eclipse.org/c/orbit/orbit-recipes.git/commit/?id=7f8e078f626c7a4efc5790766ff65e9abddd3c4b