Bug 1212401 (CVE-2023-2976) - VUL-0: CVE-2023-2976: guava: Predictable temporary files and directories used in FileBackedOutputStream
Summary: VUL-0: CVE-2023-2976: guava: Predictable temporary files and directories used...
Status: RESOLVED FIXED
Alias: CVE-2023-2976
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/369552/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-2976:5.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-15 07:40 UTC by Cathy Hu
Modified: 2024-05-15 16:26 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-06-15 07:40:58 UTC 
CVE-2023-2976

Use of Java's default temporary directory for file creation in
`FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems
and Android Ice Cream Sandwich allows other users and apps on the machine with
access to the default Java temporary directory to be able to access the files
created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend
using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2976
https://www.cve.org/CVERecord?id=CVE-2023-2976
https://github.com/google/guava/issues/2575
Comment 1 Cathy Hu 2023-06-15 07:41:32 UTC 
Affected:
- SUSE:SLE-15-SP2:Update/guava                            30.1.1
- SUSE:SLE-15-SP3:Update:Products:Manager42:Update/guava  30.1.1
- SUSE:SLE-15-SP4:Update:Products:Manager43:Update/guava  30.1.1
- openSUSE:Factory/guava                                  31.1
Comment 2 OBSbugzilla Bot 2023-06-15 16:05:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1212401) was mentioned in
https://build.opensuse.org/request/show/1093336 Factory / guava
Comment 4 Maintenance Automation 2023-08-01 12:30:31 UTC 
SUSE-SU-2023:3090-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1179926, 1212401
CVE References: CVE-2020-8908, CVE-2023-2976
Sources used:
openSUSE Leap 15.4 (src): guava-32.0.1-150200.3.7.1
openSUSE Leap 15.5 (src): guava-32.0.1-150200.3.7.1
Development Tools Module 15-SP4 (src): guava-32.0.1-150200.3.7.1
Development Tools Module 15-SP5 (src): guava-32.0.1-150200.3.7.1
SUSE Linux Enterprise Real Time 15 SP3 (src): guava-32.0.1-150200.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Fridrich Strba 2024-03-05 08:38:57 UTC 
Alp is fixed. The two SUMA code-streams are not. Not sure whether to submit there from SLE-15-SP2 or they handle it themselves.
Comment 9 Fridrich Strba 2024-03-07 21:36:32 UTC 
Submitted to all relevant code-streams. Reassigning to security.
Comment 10 Maintenance Automation 2024-04-08 12:31:00 UTC 
SUSE-SU-2024:1138-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1179926, 1212401
CVE References: CVE-2020-8908, CVE-2023-2976
Maintenance Incident: [SUSE:Maintenance:32881](https://smelt.suse.de/incident/32881/)
Sources used:
SUSE Manager Server 4.3 Module 4.3 (src):
 guava-32.0.1-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.