Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply fix of BCEL-363 (CVE-2022-42920) to AspectJ's "own BCEL" #192

Closed
daniel-matheis-vivavis opened this issue Nov 10, 2022 · 4 comments · Fixed by #193
Closed

Apply fix of BCEL-363 (CVE-2022-42920) to AspectJ's "own BCEL" #192

daniel-matheis-vivavis opened this issue Nov 10, 2022 · 4 comments · Fixed by #193
Assignees
@kriegaex
Labels
security Security vulnerability fix
Milestone
1.9.19

Comments

@daniel-matheis-vivavis
Copy link

see BCEL issue https://issues.apache.org/jira/browse/BCEL-363
resp. apache/commons-bcel#147

It seems that Aspectj's "own BCEL" also contains this problem.
@daniel-matheis-vivavis daniel-matheis-vivavis changed the title Apply fix of BCEL-363 to AspectJ's "own BCEL" Apply fix of BCEL-363 (CVE-2022-42920) to AspectJ's "own BCEL" Nov 10, 2022
@kriegaex
Copy link
Contributor

Very well possible, AspectJ's BCEL is derived from an ancient version. Which concrete problem are you running into with AspectJ? Where is a reproducer for that problem?

@daniel-matheis-vivavis
Copy link
Author

The regular user of AspectJ won't have a problem with that security issue I would say, as long as AspectJ does not try to write "too many" constant pool entries which would corrput the class file.
It is just that the contained code is (nearly) identical to the one that was fixed elsewhere and thus contains the problem described by the CVE-2022-42920 (which does not tell how to exploit that actually.)

Generally would be interesting to know why this "AspectJ private BCEL" is/was necessary.
Wouldn't it be best not to repackage it but to use the "latest and greatest" BCEL as external dependency?

@kriegaex
Copy link
Contributor

Generally would be interesting to know why this "AspectJ private BCEL" is/was necessary.

That was done many years before I started contributing to AspectJ. I think BCEL was used as a starting point for AspectJ-specific modifications and maybe refreshed from upstream in the olden days, but then it ended up simply being updated manually as the Java language and AspectJ evolved. Now the code bases have diverged so much that it would be a major effort (maybe at the scale of a rewrite) to separate our changes from the original BCEL and keep it in a separate, updateable patch state. BTW, AspectJ also uses ASM, and if AspectJ was to be rewritten today, probably it should use only of of them.

Wouldn't it be best not to repackage it but to use the "latest and greatest" BCEL as external dependency?

Like I said before, it is not just an inlined BCEL version but a heavily modified one.

kriegaex added a commit that referenced this issue Nov 13, 2022
@kriegaex
Address upstream BCEL vulnerability CVE-2022-42920
9221d2b 
Fixes #192.

See GHSA-97xg-phpr-rg8q.
See https://issues.apache.org/jira/browse/BCEL-363.
See apache/commons-bcel#147.

Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
@kriegaex kriegaex mentioned this issue Nov 13, 2022
Merged
kriegaex added a commit that referenced this issue Nov 13, 2022
@kriegaex
Address upstream BCEL vulnerability CVE-2022-42920
063d3cc 
Fixes #192.

See GHSA-97xg-phpr-rg8q.
See https://issues.apache.org/jira/browse/BCEL-363.
See apache/commons-bcel#147.

Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
@aclement
Copy link
Contributor

aclement commented Dec 2, 2022

Generally would be interesting to know why this "AspectJ private BCEL" is/was necessary

Basically we needed to move to a lazier model of unpacking class files for performance/resource-usage reasons (for example, don't unnecessarily unpack the line number table if no-one is asking for line number data or making changes that cause it to need adjustment). If revisiting it now, we'd probably switch to Asm because we also have to use asm to compute stack maps. (unless bcel has added that? maybe it has by now? I seem to recall at the time, many years ago, bcel was in no longer really being maintained).

kriegaex added a commit that referenced this issue Dec 21, 2022
@kriegaex
BCEL: use MAX_CP_ENTRIES from internal class, not from JRE
9161b23 
Instead of importing com.sun.org.apache.bcel.internal.Const, use
use org.aspectj.apache.bcel.Constants. The former class is from the
internal JRE module 'java.xml' which is not exposed by default.
Actually, no existing test failed because of it, but javadoc generation
for the AspectJ weaver.

Relates to #192.

Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
@kriegaex kriegaex added this to the 1.9.19 milestone May 1, 2024
@kriegaex kriegaex added the security Security vulnerability fix label May 1, 2024
@kriegaex kriegaex self-assigned this May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kriegaex kriegaex

Labels
security Security vulnerability fix
Projects
None yet
Milestone
1.9.19
Development

Successfully merging a pull request may close this issue.

Address upstream BCEL vulnerability CVE-2022-42920 eclipse-aspectj/aspectj
3 participants
@aclement @kriegaex @daniel-matheis-vivavis