Gentoo Bug 178851 - dev-java/{sun-jdk|sun-jre-bin} 1.6.0* image parsing library vulnerabilities (ICC parsing, BMP parsing) (CVE-2007-2788, CVE-2007-2789)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	178851
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Vlastimil Babka (Caster) <caster@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 178851 depends on:	172854		Show dependency tree Show dependency graph
Bug 178851 blocks:	177842 215614		Show dependency tree Show dependency graph

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2007-05-17 09:42 0000

Originally reported by Martin Capitanio <gentoo-bug@capitanio.org> in bug
178575.

Programs affected: JDK 1.5.0_07-b03 and others.
Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06.
Severity: Probable remote compromise of systems which use the vulnerable JDK
APIs to parse images.

We already have 1.5.0.11 stabled so that's fine but we need to finally get them
to release 1.6.0_01 under DLJ.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-05-18 06:41:23 0000 -------

Handling app-emulation/emul-linux-x86-java on bug 178962.

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-05-19 22:29:10 0000 -------

*** Bug 179155 has been marked as a duplicate of this bug. ***

------- Comment #3 From Vlastimil Babka (Caster) 2007-05-20 20:30:13 0000 -------

To sum it up, for 1.6 this is probably [upstream] because they didn't release
fixed version under the friendly license yet.
For 1.5 you could glsa it together with 176675 (if that's possible per your
policies?) because the fixed version is the same - 1.5.0.11. But this bug isn't
applicable for 1.4 which is also handled by 176675 so dunno.

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-05-21 03:52:06 0000 -------

Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
stable we (security) don't mind.

------- Comment #5 From Raphael Marichez 2007-06-01 07:14:45 0000 -------

200705-23 combined with bug 176675

------- Comment #6 From Vlastimil Babka (Caster) 2007-06-01 07:41:48 0000 -------

(In reply to comment #4)
> Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> stable we (security) don't mind.

But x86 already stabilized 1.6.0 jre

------- Comment #7 From Petteri Räty 2007-06-02 16:33:41 0000 -------

(In reply to comment #6)
> (In reply to comment #4)
> > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> > stable we (security) don't mind.
> 
> But x86 already stabilized 1.6.0 jre
> 

u1 is out. x86 please mark stable

------- Comment #8 From Vlastimil Babka (Caster) 2007-06-03 22:44:45 0000 -------

> u1 is out. x86 please mark stable

Precisely, dev-java/sun-jre-bin-1.6.0.01-r1

------- Comment #9 From Christian Faulhammer 2007-06-04 07:48:54 0000 -------

x86 stable

------- Comment #10 From Petteri Räty 2007-06-04 21:12:18 0000 -------

(In reply to comment #9)
> x86 stable
> 

Or not.
  04 Jun 2007; Christian Faulhammer <opfer@gentoo.org> ChangeLog:
  stable x86, security bug 178851

------- Comment #11 From Christian Faulhammer 2007-06-05 05:11:46 0000 -------

I stabled the wrong version, sorry for that.  x86 done again

------- Comment #12 From Raphael Marichez 2007-06-10 18:16:59 0000 -------

it was 200705-23 combined with bug 176675

------- Comment #13 From Vlastimil Babka (Caster) 2007-06-10 18:31:49 0000 -------

(In reply to comment #12)
> it was 200705-23 combined with bug 176675

But that wasn't dealing with 1.6 JDK, because we didn't have fixed version
available that time.

------- Comment #14 From Sune Kloppenborg Jeppesen 2007-06-11 06:41:11 0000 -------

Caster are we still waiting for upstream on 1.6?

We'll close this one once we have an unstable ebuild for 1.6.

------- Comment #15 From Vlastimil Babka (Caster) 2007-06-11 08:59:56 0000 -------

(In reply to comment #14)
> Caster are we still waiting for upstream on 1.6?

No.

> We'll close this one once we have an unstable ebuild for 1.6.

You might want to do glsa because vulnerable version was stable on x86 (and now
the fixed one is stable, see comment 11)

Vulnerable that was stable: dev-java/sun-jre-bin-1.6.0-r1
Fixed that is stable: dev-java/sun-jre-bin-1.6.0.01-r1

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-06-16 06:56:01 0000 -------

Security please comment on GLSA need.

------- Comment #17 From Pierre-Yves Rofes 2007-06-20 08:25:39 0000 -------

we released glsa 200705-23 for a similar issue, so I guess we should have
another one for this.

------- Comment #18 From Sune Kloppenborg Jeppesen 2007-07-01 02:17:52 0000 -------

Security please vote.

------- Comment #19 From Matt Drew 2007-07-02 21:25:01 0000 -------

I vote yes, we glsa'd the JPEG/BMP one, this is basically the same thing.

------- Comment #20 From Vlastimil Babka (Caster) 2007-07-02 21:32:24 0000 -------

You can do the GLSA together with bug 183580 which is same package different
slot (maybe I didn't have to open extra bug for it anyways...)

------- Comment #21 From Sune Kloppenborg Jeppesen 2007-07-15 07:24:02 0000 -------

Voting YES.

------- Comment #22 From Matthias Geerdsen 2007-09-11 11:21:35 0000 -------

changing product/component

please file security bugs in the Gentoo Security product

------- Comment #23 From Robert Buchholz 2008-03-31 19:05:43 0000 -------

I would close this bug without a GLSA because the GLSA has been updated more
than half a year ago:

----------------------------
revision 1.2
date: 2007-06-05 16:24:43 +0200;  author: falco;  state: Exp;  lines: +4 -3; 
commitid: 72f7466571f24567;
add the 1.6.x branch of sun-jre-bin since it had been stabilized on x86 just a
few days before the glsa was sent.
----------------------------

--- glsa-200705-23.xml  31 May 2007 18:12:05 -0000      1.1
+++ glsa-200705-23.xml  5 Jun 2007 14:24:43 -0000       1.2
@@ -11,7 +11,7 @@
   </synopsis>
   <product type="ebuild">sun-jdk,sun-jre-bin</product>
   <announced>May 31, 2007</announced>
-  <revised>May 31, 2007: 01</revised>
+  <revised>June 05, 2007: 02</revised>
   <bug>176675</bug>
   <bug>178851</bug>
   <access>remote</access>
@@ -22,9 +22,10 @@
       <vulnerable range="lt">1.5.0.11</vulnerable>
     </package>
     <package name="dev-java/sun-jre-bin" auto="yes" arch="*">
-      <unaffected range="ge">1.5.0.11</unaffected>
+      <unaffected range="rge">1.5.0.11</unaffected>
       <unaffected range="rge">1.4.2.14</unaffected>
-      <vulnerable range="lt">1.5.0.11</vulnerable>
+      <unaffected range="ge">1.6.0.01</unaffected>
+      <vulnerable range="lt">1.6.0.01</vulnerable>
     </package>
   </affected>
   <background>

------- Comment #24 From Robert Buchholz 2008-03-31 19:09:34 0000 -------

Oh wait, that did not deal with the JDK. Assuming that was affected, it needs
to get GLSA'd.

------- Comment #25 From Robert Buchholz 2008-04-17 23:43:35 0000 -------

GLSA 200804-20, sorry for the long delay.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 178851

dev-java/{sun-jdk|sun-jre-bin} 1.6.0* image parsing library vulnerabilities (ICC parsing, BMP parsing) (CVE-2007-2788, CVE-2007-2789)

Last modified: 2008-04-17 23:43:35 0000