Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 72750 - kde-base/kdebase Konqueror Java vulnerabilities
Summary: kde-base/kdebase Konqueror Java vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.kde.org/info/security/advi...
Whiteboard: A2 [glsa] jaervosz
Keywords:
Depends on:
Blocks: 73759 73795 75204
  Show dependency tree
 
Reported: 2004-11-28 10:54 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-03-23 19:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-28 10:54:18 UTC
Konqueror 3.3.1 with sun-jdk 1.4.2_06 is listed as vulnerable according to the heise test:

http://www.heise.de/security/dienste/browsercheck/tests/java.shtml
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-29 02:05:02 UTC
kde please test and confirm (remember blackdown on a web browser) asap.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-29 03:00:15 UTC
tested with blackdown-jdk-1.4.2_01 and konqueror 3.3.1 and it is listed as vulnerable too.
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2004-11-29 06:26:37 UTC
It is a test for the Java sandbox bypassing issue, you could read about lately everywhere. This has nothing to do with any special browser. >=sun-jdk 1.4.2_06 and blackdown-jdk-1.4.2_01 (Bug 72221) are the safe versions.

I did not try blackdown, but the "Sie k
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2004-11-29 06:26:37 UTC
It is a test for the Java sandbox bypassing issue, you could read about lately everywhere. This has nothing to do with any special browser. >=sun-jdk 1.4.2_06 and blackdown-jdk-1.4.2_01 (Bug 72221) are the safe versions.

I did not try blackdown, but the "Sie können dies >hier< testen" popup with the text "Sieht gut aus, der Versuch lieferte einen Fehler: undefined" means that you're fine.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-29 07:36:06 UTC
I'm getting "Sie
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-29 07:36:06 UTC
I'm getting "Sie sind verwundbar: [object Object ref=11299397]" with 1.4.2-01 from Blackdown Java-Linux Team according to the version string on heise.de.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-29 10:01:21 UTC
Same with 1.4.2_06 from Sun Microsystems Inc. it gives "Sie
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-29 10:01:21 UTC
Same with 1.4.2_06 from Sun Microsystems Inc. it gives "Sie sind verwundbar: [object Object ref=5218268]"

However this test: http://bcheck.scanit.be/bcheck/ seems to claim that konqueror is clean with both Blackdown and Sun jdk.
Comment 9 Tuan Van (RETIRED) gentoo-dev 2004-11-29 10:57:57 UTC
I get "Sieht gut aus, der Versuch lieferte einen Fehler: undefined" with blackdown-jdk-1.4.2.01.
Comment 10 Carsten Lohrke (RETIRED) gentoo-dev 2004-11-29 11:13:54 UTC
Um, after having a look at my konqueror config and replacing /opt/sun-jdk-1.4.2.05/bin/java with the correct path /opt/sun-jdk-1.4.2.06/bin/java, I can reproduce your results, Sune. My main browser is Firebird, so I guess I muddled the Java is active samples from the one browser with the test of the other... 

Tuan, same for you?

Comment 11 roger55 (RETIRED) gentoo-dev 2004-11-29 11:38:51 UTC
Results with konqueror 3.3.1 and dev-java/blackdown-jdk-1.4.2.01 :

On the heise.de site: First the test said vulnerable, I adjusted the java path, then it said invulnerable once (maybe the page wasn't fully loaded?), then vulnerable again.
 
The http://bcheck.scanit.be/bcheck/ reports no vulnerabilities.


Comment 12 JG 2004-11-29 12:13:35 UTC
installed/used software:
konqueror: v3.3.1
firefox: 1.0
dev-java/sun-jdk-1.4.2.06
dev-java/blackdown-jdk-1.4.1
dev-java/blackdown-jre-1.4.1

settings in konqueror: enable java globally is set.
path to java executable, or 'java': will change in every test.

testing: both the heise and bcheck tests

plugin-settings untouched. i always restarted knqueror between each test and config change.

test 1)
 path to java executable: /opt/blackdown-jdk-1.4.1/bin/java
 expected results: vulnerable
 results:
   heise: vulnerable
   bcheck: test1 (java): no result (0 vulnerabilities)

test 2)
 path to java executable: /opt/blackdown-jre-1.4.1/bin/java
 expected results: vulnerable
 results:
   heise: vulnerable
   bcheck: test1 (java): no result (0 vulnerabilities)

test 3)
 path to java executable: /opt/sun-jdk-1.4.2.06/bin/java
 expected results: NOT vulnerable
 results:
   heise: vulnerable
   bcheck: test1 (java): no result (0 vulnerabilities)

-----
plugin settings:
under plugins i still have the old paths that are expected to be vulnerable:
/opt/sun-jdk-1.4.2.04/jre/plugin/i386/ns610-gcc32/
/opt/sun-jdk-1.4.2.04/jre/plugin/i386

scanning for new plugins doesn't remove them (of course...).
i removed those old paths and did NOT enter the new ones for now.

test 4)
 path to java executable: /opt/sun-jdk-1.4.2.06/bin/java
 expected results: NOT vulnerable
 results:
   heise: vulnerable
   bcheck: test1 (java): no result (0 vulnerabilities)

i now entered the new paths for the plugins:
/opt/sun-jdk-1.4.2.06/bin/java

test 5)
 path to java executable: /opt/sun-jdk-1.4.2.06/bin/java
 expected results: NOT vulnerable
 results:
   heise: vulnerable
   bcheck: test1 (java): no result (0 vulnerabilities)

entering "about:plugins" in the location bar, konqueror says: 
Java Plug-in | Java Plug-in KJAS for Konqueror | kjavaappletviewer.so
removing this shared object file renders java unusable (heise reports deactivated).

deactivating plugins globally doesn't help either. the heise test still reports vulnerable.

i think it could be related to the kjavaappletviewer.so file. any kde pros here? 
i'll recompile kdelibs (will take 1-2h), maybe the kjava* stuff is linked to some java version during compilation?

---
last tests for now:
emerge latest blackdown* versions - rerunning the heise test still says vulnerable (though correct sun-jdk path).

BUT:
====
moving all vulnerable java-versions (sun, blackdown) from /opt to /tmp did help!
heise now says: NOT vulnerable: undefined.
(bcheck still doesn't report anything, i won't check this test anymore)

JG
Comment 13 JG 2004-11-29 13:07:33 UTC
well, i did not recompile kdelibs yet.
but i can confirm comment #8. my system still reports "vulnerable" although i moved all older java-versions to /tmp. if i click the link *before* the page is fully loaded it says "undefined" afterwards: "vulnerable"

JG


Comment 14 Carsten Lohrke (RETIRED) gentoo-dev 2004-11-30 05:12:42 UTC
http://bugs.kde.org/show_bug.cgi?id=94164
Comment 15 Michael Mauch 2004-11-30 08:25:16 UTC
I unemerged all vulnerable Java versions, then re-emerged kdelibs and even rebooted: the Heise test still says "vulnerable".
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-06 09:22:49 UTC
Still nothing from upstream.
Comment 17 Carsten Lohrke (RETIRED) gentoo-dev 2004-12-09 08:52:44 UTC
According to Stepan Kulow, this is fixed with KDE 3.3.2.

Caleb, Motaboy, anyone else: I'm still not subscribed to any kde lists, do you have more information about the issue? Do we have to backport for 3.2.3?
Comment 18 Caleb Tennis (RETIRED) gentoo-dev 2004-12-09 09:31:37 UTC
I haven't seen anything from any list about this as a vulnerability.
Comment 19 Carsten Lohrke (RETIRED) gentoo-dev 2004-12-09 10:03:00 UTC
Well, I did not try to write a real exploit, but it looks similar to Opera's recent Java sandbox problem, just revealed by the tests for the other Java sandbox issue and thanks to Sune, testing Konqueror. I'll ask Stephen.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 11:27:41 UTC
kde please confirm if this is fixed with 3.3.2?
Comment 21 Carsten Lohrke (RETIRED) gentoo-dev 2004-12-11 07:45:55 UTC
Sune, the result is now "Sie sind verwundbar: undefined" so it seems this is not a problem anymore. I just don't have any information on the quality of the problem and the fix itself causes a new problem. I reopened the above kde.org bug report, please follow it for more information.
Comment 22 Caleb Tennis (RETIRED) gentoo-dev 2004-12-19 06:06:06 UTC
This is fixed with 3.3.2.  A fix will is made available for 3.2.3, which I will attempt to get into portage soon, but it's a bit complicated.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-20 06:28:58 UTC
Caleb please provide an updated ebuild.
Comment 24 Caleb Tennis (RETIRED) gentoo-dev 2004-12-20 06:31:12 UTC
3.2.3 will be fixed as soon as I can (tonight).  

There is no fix for 3.3.1 other than to upgrade to 3.3.2, unfortunately.
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-20 08:42:26 UTC
Caleb it would be really nice if 3.3.2 is ready to go stable to fix this one.
Comment 26 Caleb Tennis (RETIRED) gentoo-dev 2004-12-27 07:17:47 UTC
Going to bump 3.3.2 to stable shortly (x86) - this is the recommended fix for this bug.
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-27 10:34:41 UTC
Thx Caleb.

Arches please mark stable:

kde-base/arts-1.3.2
kde-base/kdelibs-3.3.2-r1
kde-base/kdebase-3.3.2-r1
kde-base/kdepim-3.3.2
kde-base/kdegraphics-3.3.2-r1
kde-base/kdenetwork-3.3.2
kde-base/kdeaccessibility-3.3.2
kde-base/kdewebdev-3.3.2
kde-base/kdeadmin-3.3.2
kde-base/kdeartwork-3.3.2
kde-base/kdeutils-3.3.2
kde-base/kdemultimedia-3.3.2
kde-base/kdeaddons-3.3.2
kde-base/kdetoys-3.3.2
kde-base/kdeedu-3.3.2
kde-base/kdegames-3.3.2
kde-base/kde-3.3.2
Comment 28 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-29 11:39:28 UTC
Stable on alpha.
Comment 29 Hardave Riar (RETIRED) gentoo-dev 2005-01-01 13:36:28 UTC
Does this bug affect archs, such as mips, that do not have a java implementation?
Comment 30 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-03 04:15:34 UTC
Hardave 3.3.2 also fixes xpdf issues for kde 3.3.1. See bug 75204
Comment 31 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-03 12:03:01 UTC
Arches please mark kdelibs-3.3.2-r2 instead of -r1 (fix for bug #73759)
Comment 32 Guy Martin (RETIRED) gentoo-dev 2005-01-03 16:49:32 UTC
Stable on hppa.
Comment 33 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-01-03 19:58:54 UTC
All ebuilds mentioned in comments 24 and 28 are already stable on amd64.
Comment 34 Pieter Van den Abeele (RETIRED) gentoo-dev 2005-01-05 10:02:37 UTC
ppc done
Comment 35 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-05 14:22:59 UTC
Currently arts is broken for sparc, the problem being on kde 3.3.2 is breaks kicker. It's been broken since kde 3.2.x, but it never broke other stuff, except from the annoying arts startup problem messages.
I'm currently rebuilding kdelibs/base without arts support to check if masking arts would solve this. Once this is done i'll mask arts in the sparc profiles and then bump all the kde* stuff, hopefully for tomorrow morning.
Sorry for the delay on this, but i'm short on horsepower to build stuff, basically my box is just 7% idle for a cumulative uptime of 9 days, doing GLSAs, releng and porting stuff.
Comment 36 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-11 05:17:37 UTC
GLSA 200501-17

This bug will stay open until sparc has a stable version at which time the GLSA will be updated.
Comment 37 Jason Wever (RETIRED) gentoo-dev 2005-01-11 19:51:16 UTC
Stable on sparc
Comment 38 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-11 22:34:23 UTC
sparc stable closing with GLSA 200501-16

ia64 and mips remember to mark stable to benifit from the GLSA.