Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
Description: Sun has acknowledged a vulnerability in the Java Web Start of the Java 2 Platform, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an unspecified error within the use of system classes. This can e.g. be exploited to read and write to local files via malicious Java Web Start Applications. The vulnerability is reported in Java Web Start in JDK and JRE 5.0 Update 10 and Java Web Start in SDK and JRE 1.4.2_13 and earlier for Windows, Solaris and Linux.
*** Bug 175280 has been marked as a duplicate of this bug. ***
amd64: please do sun-jre-bin-1.5.0.11 as you didn't get to doing it in bug 175280.
amd64, please stabilize: dev-java/sun-jre-bin-1.5.0.11 app-emulation/emul-linux-x86-java-1.5.0.11 I'll bump 1.4 to 1.4.2.14
x86, please stabilize: dev-java/sun-jdk-1.4.2.14 dev-java/sun-jre-bin-1.4.2.14
x86 stable, i hate java...
(In reply to comment #5) > x86 stable, i hate java... Instant karma bites back! You forgot dev-java/sun-jre-bin-1.4.2.14 :) It's just a subset of JDK so shouldn't be problem.
x86 stable again
ping amd64 team
emerges fine, works 'n stuff on amd64 emerges fine, works 'n stuff on amd64 Portage 2.1.2.2 (default-linux/amd64/2007.0/desktop, gcc-4.1.1, glibc-2.5-r2, 2.6.21-ck1 x86_64) ================================================================= System uname: 2.6.21-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 07 May 2007 23:50:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.61 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet" FEATURES="buildsyspkg ccache cvs distlocks metadata-transfer nodoc noinfo parallel-fetch sandbox sfperms strict userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.UTF8" LC_ALL="en_US.UTF8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow X a52 aac acpi alsa amd64 amr audiofile bitmap-fonts bzip2 cairo cdinstall cdr cli cracklib cups dbus dri dts dvd dvdr dvdread emboss encode evo exif fam firefox fortran gdbm gif gmp gtk hal iconv jpeg libg++ lirc logrotate mad midi mikmod minimal mmx mp3 mpeg ncurses nptl nptlonly offensive ogg opengl pcre pdf php png pppd qt3support quicktime readline reflection sdl session smp soundtouch spl sse sse2 ssl svg symlink tcpd threads tiff truetype truetype-fonts type1-fonts unicode v4l vim vorbis x264 xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate rouPortage 2.1.2.2 (default-linux/amd64/2007.0/desktop, gcc-4.1.1, glibc-2.5-r2, 2.6.21-ck1 x86_64) ================================================================= System uname: 2.6.21-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 07 May 2007 23:50:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.61 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet" FEATURES="buildsyspkg ccache cvs distlocks metadata-transfer nodoc noinfo parallel-fetch sandbox sfperms strict userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.UTF8" LC_ALL="en_US.UTF8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow X a52 aac acpi alsa amd64 amr audiofile bitmap-fonts bzip2 cairo cdinstall cdr cli cracklib cups dbus dri dts dvd dvdr dvdread emboss encode evo exif fam firefox fortran gdbm gif gmp gtk hal iconv jpeg libg++ lirc logrotate mad midi mikmod minimal mmx mp3 mpeg ncurses nptl nptlonly offensive ogg opengl pcre pdf php png pppd qt3support quicktime readline reflection sdl session smp soundtouch spl sse sse2 ssl svg symlink tcpd threads tiff truetype truetype-fonts type1-fonts unicode v4l vim vorbis x264 xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAYte share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
(In reply to comment #3) > amd64, please stabilize: > dev-java/sun-jre-bin-1.5.0.11 > app-emulation/emul-linux-x86-java-1.5.0.11 done
Time for glsa?
I tend to vote YES.
voting yes. think this is consistent with the way gentoo's glsa priv escalations before.
I definitely vote yes, we've drafted Sun Java vulns of this nature before.
Let's have a GLSA on this one.
200705-23 combined with bug 178851
