Bug#1050834: libpf4j-java: CVE-2023-40826 CVE-2023-40827 CVE-2023-40828

[Moritz Mühlenhoff]

Source: libpf4j-java
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for libpf4j-java.

CVE-2023-40826[0]:
| An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to
| obtain sensitive information and execute arbitrary code via the
| zippluginPath parameter.

https://github.com/pf4j/pf4j/issues/536
Duplicate/similar to: https://github.com/pf4j/pf4j/issues/526
https://github.com/pf4j/pf4j/pull/538
Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

CVE-2023-40827[1]:
| An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to
| obtain sensitive information and execute arbitrary code via the
| loadpluginPath parameter.

https://github.com/pf4j/pf4j/issues/536
https://github.com/pf4j/pf4j/pull/537
https://github.com/pf4j/pf4j/pull/538
Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

CVE-2023-40828[2]:
| An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to
| obtain sensitive information and execute arbitrary code via the
| expandIfZip method in the extract function.

https://github.com/pf4j/pf4j/pull/537
https://github.com/pf4j/pf4j/pull/538
Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40826
    https://www.cve.org/CVERecord?id=CVE-2023-40826
[1] https://security-tracker.debian.org/tracker/CVE-2023-40827
    https://www.cve.org/CVERecord?id=CVE-2023-40827
[2] https://security-tracker.debian.org/tracker/CVE-2023-40828
    https://www.cve.org/CVERecord?id=CVE-2023-40828

Please adjust the affected versions in the BTS as needed.