Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing

[John Helmert III <ajak () gentoo org>]

On Fri, Nov 04, 2022 at 05:35:34PM +0000, Gary D. Gregory wrote:
> Description:
>
> Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. 
> However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be 
> abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the 
> resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
>
> This issue is being tracked as BCEL-363
>
> Credit:
>
> Reported by Felix Wilhelm (Google); GitHub pull request to Apache Commons BCEL #147 by Richard Atkins 
> (https://github.com/rjatkins); PR derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 
> 13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and RealCLanger (Christoph Langer 
> https://github.com/RealCLanger)

This appears to be a duplicate of CVE-2022-34169 (also issued by the
Apache CNA), and previously discussed on this list at [1]. It was
eventually reported to the list that the vulnerability was actually in
bcel [2].

[1] https://www.openwall.com/lists/oss-security/2022/07/19/5
[2] https://www.openwall.com/lists/oss-security/2022/10/18/2

Attachment: signature.asc
Description: