Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 205772 - dev-java/sun-jdk-1.6.0.04 and 1.5.0.14 (and dev-java/sun-jre-bin) version bump
Summary: dev-java/sun-jdk-1.6.0.04 and 1.5.0.14 (and dev-java/sun-jre-bin) version bump
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Java (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Java team
URL: https://jdk-distros.dev.java.net/deve...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-14 10:32 UTC by Stefan Behte (RETIRED)
Modified: 2008-01-18 19:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-01-14 10:32:10 UTC 
http://java.sun.com/javase/downloads/index.jsp

Changelog mentions a Buffer Overflow in sun.font.TrueTypeFont.getTableBuffer 
http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_04

We should get 1.6.0.04 in the tree ASAP and Mask 1.6.0.03!
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 17:59:24 UTC 
Maybe the site changed in between, but it mentions that a "StackOverflowError" was caused in that function. Since that happens gracefully within the JVM, how is that a security vulnerability?

Java herd, did I miss something?
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-01-15 18:18:53 UTC 
(In reply to comment #1)
> Maybe the site changed in between, but it mentions that a "StackOverflowError"
> was caused in that function. Since that happens gracefully within the JVM, how
> is that a security vulnerability?

Exactly, it's in the java code, so it's safe. The associated bug also shows a java exception stack trace, no segfault. Also, I'm sure Sun would release some advisory.
I expect one anyway, even wanted to open a security bug like "new version was released, there must be something with the old" when I noticed the release :)
So for now, just a version bump bug, and we are as usually waiting for the release under DJL license...
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-01-18 15:06:36 UTC 
In CVS.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-01-18 19:48:34 UTC 
Thanks! :)