Bug 2215229 (CVE-2023-2976)

Summary: CVE-2023-2976 guava: insecure temporary directory creation
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, adupliak, aileenc, alampare, alazarot, almacdon, anstephe, aogburn, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, csutherl, dandread, darran.lofthouse, dfreiber, dhanak, dhughes, dkreling, dosoudil, drichtar, eaguilar, ebaron, eglynn, ehelms, emingora, eric.wittmann, fdemeloj, fjuma, fmongiar, gjospin, gmalinko, gsmet, gzaronik, hamadhan, hbraun, ibek, ivassile, iweiss, janstey, jburrell, jcantril, jclere, jjoyce, jkang, jmartisk, jnethert, jolee, jpallich, jpechane, jpoth, jrokos, jross, jschatte, jscholz, jsherril, jstastny, jvanek, kverlaen, lbacciot, lgao, lhh, lthon, lzap, max.andersen, mburns, mgarciac, mhulan, mizdebsk, mmadzin, mnovotny, mosmerov, msochure, mstefank, msvehla, myarboro, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pgallagh, pgrist, pjindal, pmackay, probinso, pskopek, rchan, rguimara, rhcs-maint, rjohnson, rkieley, rogbas, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, sdouglas, sfroberg, smaestri, sthorger, swoodman, szappis, tcunning, tom.jenkinson, tqvarnst, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: guava 32.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215230, 2215231, 2232209, 2232210, 2215232    
Bug Blocks: 2215233    

Description Sandipan Roy 2023-06-15 06:22:33 UTC 
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.



https://github.com/google/guava/issues/2575
Comment 12 Patrick Del Bello 2023-08-15 18:31:03 UTC 
Created guava tracking bugs for this issue:

Affects: fedora-37 [bug 2232209]
Affects: fedora-38 [bug 2232210]