| Name | CVE-2022-34169 |
| Description | The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3155-1, DSA-5188-1, DSA-5192-1, DSA-5256-1, ELA-653-1, ELA-707-1 |
| Debian Bugs | 1015860 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| bcel (PTS) | jessie, jessie (lts) | 6.0~rc3-1+deb8u1 | fixed |
| stretch (lts), stretch | 6.0-1+deb9u1 | fixed | |
| buster (security), buster, buster (lts) | 6.2-1+deb10u1 | fixed | |
| bullseye (security), bullseye | 6.5.0-1+deb11u1 | fixed | |
| bookworm | 6.5.0-2 | fixed | |
| sid, trixie | 6.10.0-1 | fixed | |
| openjdk-11 (PTS) | buster, buster (lts) | 11.0.25+9-1~deb10u1 | fixed |
| buster (security) | 11.0.23+9-1~deb10u1 | fixed | |
| bullseye | 11.0.24+8-2~deb11u1 | fixed | |
| bullseye (security) | 11.0.25+9-1~deb11u1 | fixed | |
| sid | 11.0.25+9-1 | fixed | |
| openjdk-17 (PTS) | bullseye | 17.0.12+7-2~deb11u1 | fixed |
| bullseye (security) | 17.0.13+11-1~deb11u1 | fixed | |
| bookworm (security), bookworm | 17.0.13+11-2~deb12u1 | fixed | |
| sid, trixie | 17.0.13+11-2 | fixed | |
| openjdk-8 (PTS) | jessie, jessie (lts) | 8u432-b06-2~deb8u1 | fixed |
| stretch (security) | 8u332-ga-1~deb9u1 | vulnerable | |
| stretch (lts), stretch | 8u432-b06-2~deb9u1 | fixed | |
| sid | 8u432-b06-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| bcel | source | jessie | 6.0~rc3-1+deb8u1 | ELA-707-1 | ||
| bcel | source | stretch | 6.0-1+deb9u1 | ELA-707-1 | ||
| bcel | source | buster | 6.2-1+deb10u1 | DLA-3155-1 | ||
| bcel | source | bullseye | 6.5.0-1+deb11u1 | DSA-5256-1 | ||
| bcel | source | (unstable) | 6.5.0-2 | 1015860 | ||
| openjdk-11 | source | buster | 11.0.16+8-1~deb10u1 | DSA-5188-1 | ||
| openjdk-11 | source | bullseye | 11.0.16+8-1~deb11u1 | DSA-5188-1 | ||
| openjdk-11 | source | (unstable) | 11.0.16+8-1 | |||
| openjdk-17 | source | bullseye | 17.0.4+8-1~deb11u1 | DSA-5192-1 | ||
| openjdk-17 | source | (unstable) | 17.0.4+8-1 | |||
| openjdk-8 | source | jessie | 8u342-b07-1~deb8u1 | ELA-653-1 | ||
| openjdk-8 | source | stretch | 8u342-b07-1~deb9u1 | ELA-653-1 | ||
| openjdk-8 | source | (unstable) | 8u342-b07-1 |
https://www.openwall.com/lists/oss-security/2022/07/19/5
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
Bug is most likely only in bcel which libxalan2-java depends on.
https://github.com/apache/commons-bcel/pull/147
https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5