Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501472 (CVE-2013-6493) - <dev-java/icedtea-web-1.4.2, <dev-java/icedtea-bin-6.1.13.3-r3: insecure temporary directory use (CVE-2013-6493)
Summary: <dev-java/icedtea-web-1.4.2, <dev-java/icedtea-bin-6.1.13.3-r3: insecure temp...
Status: RESOLVED FIXED
Alias: CVE-2013-6493
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-16 11:37 UTC by Agostino Sarubbo
Modified: 2015-08-28 00:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-16 11:37:34 UTC
From ${URL} :

IcedTea-Web version 1.4.2 released earlier this week fixes an issue
related to handling of the directory that is used to store sockets for
communication between in browser plugin, and JVM running applets.  The
directory was usually created in /tmp, using predictable name, and its
ownership and permissions were not checked.  This issue was reported by
Michael Scherer of Red Hat and was assigned CVE-2013-6493.

References:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html
http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a
http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663
https://bugzilla.redhat.com/show_bug.cgi?id=1010958



@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2014-05-31 21:10:19 UTC
Not sure if this affects 1.3.2 which is built into icedtea-bin-6, or just 1.4 series :/
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2014-06-03 06:34:38 UTC
I guess 1.3.2 is also affected, so it's time icedtea-bin:6 stopped bundling it, and depend on 1.4.2 which can handle multiple icedtea versions in single installation.

So I made dev-java/icedtea-bin-6.1.13.3-r1 revbump that should be tested and stabilized together with dev-java/icedtea-web-1.4.2
Testing means trying javaws on some webstart file, and checking if the browser plugin works. Thanks.
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-08 09:49:01 UTC
I get:

  dependency.bad                22                                                                                                                                                  
   dev-java/icedtea-web/icedtea-web-1.4.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['dev-java/icedtea:7']
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-11 12:06:06 UTC
Please fix bug #502280 first.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 03:41:37 UTC
With Bug 502280, #502280 closed, please advise when you want to go to stabilization.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-06-24 02:16:40 UTC
Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so it seems we don't need to stabilize it.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-24 02:25:58 UTC
(In reply to Paweł Hajdan, Jr. from comment #6)
> Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so
> it seems we don't need to stabilize it.

This was a question for dev-java/icedtea-bin to stabilize 6.1.13.3-r1 as per comment 2 above. Sorry for not asking specifics. icedtea-web does not need to be stabilized, just tested.
Comment 8 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2014-06-27 14:44:58 UTC
(In reply to Yury German from comment #7)
> (In reply to Paweł Hajdan, Jr. from comment #6)
> > Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so
> > it seems we don't need to stabilize it.
> 
> This was a question for dev-java/icedtea-bin to stabilize 6.1.13.3-r1 as per
> comment 2 above. Sorry for not asking specifics. icedtea-web does not need
> to be stabilized, just tested.

No, it needs to be stabilized. icedtea-bin (which is stable) bundles a vulnerable version of icedtea-web. Now it's possible to unbundle it, so that icedtea-bin PDEPENDS on icedtea-web. But for that, icedtea-web needs to be stable.

(In reply to Agostino Sarubbo from comment #3)
> I get:
> 
>   dependency.bad                22                                          
> 
>    dev-java/icedtea-web/icedtea-web-1.4.2.ebuild: DEPEND:
> amd64(default/linux/amd64/13.0) ['dev-java/icedtea:7']

I have fixed this by stripping the icedtea7 USE flag from icedtea-web-1.4.2, and creating a icedtea-web-1.4.2-r1 revbump that keeps it.
Also for bug 502280, dev-java/icedtea-bin-6.1.13.3-r1 had to be revbumped to dev-java/icedtea-bin-6.1.13.3-r3 (without a change, but previously the bug was fixed without revbump so people didn't get the fix).

So the sum up, please stabilize the following:
dev-java/icedtea-bin-6.1.13.3-r3
dev-java/icedtea-web-1.4.2   (NOT -r1)

Thanks.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-06-27 22:14:11 UTC
Arches, please test and mark stable:

=dev-java/icedtea-bin-6.1.13.3-r3
=dev-java/icedtea-web-1.4.2 (New Stabilization - see comment #8)

Target Keywords : "amd64 x86"
Comment 10 Agostino Sarubbo gentoo-dev 2014-06-28 09:25:10 UTC
RepoMan scours the neighborhood...                                                                                                             
>>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin                                                                             
  dependency.bad                11                                                                                                             
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]']          
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop) ['dev-java/icedtea-web:0[icedtea7]']  
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['dev-java/icedtea-web:0[icedtea7]']                                                                                                                                           
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome/systemd) ['dev-java/icedtea-web:0[icedtea7]']                                                                                                                                   
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/kde) ['dev-java/icedtea-web:0[icedtea7]']                                                                                                                                             
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/kde/systemd) ['dev-java/icedtea-web:0[icedtea7]']                                                                                                                                     
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/developer) ['dev-java/icedtea-web:0[icedtea7]']
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64) ['dev-java/icedtea-web:0[icedtea7]']              
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/no-multilib) ['dev-java/icedtea-web:0[icedtea7]']  
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/no-multilib/selinux) ['dev-java/icedtea-web:0[icedtea7]']                                                                                                                                         
   dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/selinux) ['dev-java/icedtea-web:0[icedtea7]']
Comment 11 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2014-06-30 22:30:35 UTC
(In reply to Agostino Sarubbo from comment #10)
> RepoMan scours the neighborhood...                                          
> 
> >>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin                                                                             
>   dependency.bad                11                                          
> 
>    dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND:
> amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]']        

I'm updating title so it says 'dev-java/icedtea-bin-6.1.13.3-r3' explicitly.
I will also remove -r0 and -r1 to be sure.
Comment 12 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2014-06-30 22:35:10 UTC
(In reply to Agostino Sarubbo from comment #10)
> RepoMan scours the neighborhood...                                          
> 
> >>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin                                                                             
>   dependency.bad                11                                          
> 
>    dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND:
> amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]']        

Should be fixed, please try again.
Comment 13 Agostino Sarubbo gentoo-dev 2014-07-01 05:36:43 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-07-01 05:36:54 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-01 07:30:34 UTC
GLSA vote: no,
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-07-01 14:55:51 UTC
GLSA Vote: No

No GLSA will be issued.
Maintainer(s), please drop the vulnerable version.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 20:49:07 UTC
CVE-2013-6493 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6493):
  The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in
  IcedTea-Web before 1.4.2 allows local users to read the messages between a
  Java applet and a web browser by pre-creating a temporary socket file with a
  predictable name in /tmp.
Comment 18 Manuel Rüger (RETIRED) gentoo-dev 2015-08-28 00:00:14 UTC
Vulnerable versions have been removed a while ago. Closing as its noglsa.