CVE-2023-34623: org.eclipse.birt.report.engine makes use of vulnerable version of 3rd party library 'jtidy' #1421
Comments
|
If someone is going to fix this: Currently, BIRT uses the JTidy library in /org.eclipse.birt.report.engine/META-INF/MANIFEST.MF: The jtidy library the OP mentions is also available on Maven: Probably it would be better to use the library from Maven. |
|
Note that there is some voodoo involved in how that jar ends up in this folder because it's not checked in to Git:
|
|
Hmmm, or maybe it is!
|
|
It seems the maven bundle does not work with OSGI. When I try to add it to the target platform, there's an error:
This is beyond my knowledge about Maven, Tycho, OSGI etc., so I cannot fix this myself. |
|
It currently only works because it's a jar nested in the lib folder so it does not need to be an OSGi bundle when used in that way. Please, please keep in mind that the *.target is generated, so manual editing is just doing done the dark path where we were before when we were not able to update anything. If we want to get this bundle from maven, it will need to be wrapped and we will need to do that in Orbit... |
|
Pardon my ignorance as I'm not up to speed with the history, and not familiar with Orbit - but would it not be possible to simply replace the current 'Tidy.jar' with the new 1.0.5 JAR, and update MANIFEST / .classpath etc as appropriate (to match the new filename) ? |
|
Yes, that was exactly my point. One could just take the jar from here: https://repo1.maven.org/maven2/com/github/jtidy/jtidy/1.0.5/ and replace the Tidy.jar with that. That's it... But the comment from @hvbtup was about modifying the target platform so that this bundle is in the target platform but that approach is not so easy and while better long term, it needs to be done properly... |
|
Yes. For a quick solution one could just replace the JAR, so Ed @merks can you do this? My first thought was that the way how the JAR is used in the project structure is not very clean and someone with more expertise than me could fix this as well. But now I think that we should provide a quick solution and add the project cleanup on the to-do list for later. |
|
It's definitely not clean the way things are done, but there are quite few such examples. After I finish restructuring Orbit, I hope to find time to revisit the dependencies... |
|
Many thanks to all for the quick response on this! |
|
The latest nightly build has the fix. |
The following vulnerability is present in org.eclipse.birt.report.engine as it makes use of the 'jtidy' library, via the JAR file at the following location:
org.eclipse.birt.report.engine/lib/Tidy.jar
The version currently used by birt.report.engine appears to be as follows (a 2009 release):
CVE: GHSA-fv2r-hw24-8rxj
Note 1:
The jtidy project is maintained at: https://github.com/jtidy/jtidy
Note 2:
Recent release(es) of jtidy have addressed the vulnerability (eg. version 1.0.5).
Would it be possible to integrate the latest version of jtidy via the above Github project, such that org.eclipse.birt.report.engine is no longer listed as being vulnerable to CVE-2023-34623 ? Hopefully the latest version is backwards compatible without any API changes required, although I am unsure whether this is the case.
The text was updated successfully, but these errors were encountered: