178851 2007-05-17 09:42 0000 dev-java/{sun-jdk|sun-jre-bin} 1.6.0* image parsing library vulnerabilities (ICC parsing, BMP parsing) (CVE-2007-2788, CVE-2007-2789) 2008-04-17 23:43:35 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://scary.beasts.org/security/CESA-2006-004.html B2? [glsa+] jaervosz P2 normal --- 172854 177842 215614 1 caster@gentoo.org security@gentoo.org java@gentoo.org caster@gentoo.org 2007-05-17 09:42:13 0000 Originally reported by Martin Capitanio <gentoo-bug@capitanio.org> in bug 178575. Programs affected: JDK 1.5.0_07-b03 and others. Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06. Severity: Probable remote compromise of systems which use the vulnerable JDK APIs to parse images. We already have 1.5.0.11 stabled so that's fine but we need to finally get them to release 1.6.0_01 under DLJ. jaervosz@gentoo.org 2007-05-18 06:41:23 0000 Handling app-emulation/emul-linux-x86-java on bug 178962. jaervosz@gentoo.org 2007-05-19 22:29:10 0000 *** Bug 179155 has been marked as a duplicate of this bug. *** caster@gentoo.org 2007-05-20 20:30:13 0000 To sum it up, for 1.6 this is probably [upstream] because they didn't release fixed version under the friendly license yet. For 1.5 you could glsa it together with 176675 (if that's possible per your policies?) because the fixed version is the same - 1.5.0.11. But this bug isn't applicable for 1.4 which is also handled by 176675 so dunno. jaervosz@gentoo.org 2007-05-21 03:52:06 0000 Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not stable we (security) don't mind. falco@gentoo.org 2007-06-01 07:14:45 0000 200705-23 combined with bug 176675 caster@gentoo.org 2007-06-01 07:41:48 0000 (In reply to comment #4) > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not > stable we (security) don't mind. But x86 already stabilized 1.6.0 jre betelgeuse@gentoo.org 2007-06-02 16:33:41 0000 (In reply to comment #6) > (In reply to comment #4) > > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not > > stable we (security) don't mind. > > But x86 already stabilized 1.6.0 jre > u1 is out. x86 please mark stable caster@gentoo.org 2007-06-03 22:44:45 0000 > u1 is out. x86 please mark stable Precisely, dev-java/sun-jre-bin-1.6.0.01-r1 fauli@gentoo.org 2007-06-04 07:48:54 0000 x86 stable betelgeuse@gentoo.org 2007-06-04 21:12:18 0000 (In reply to comment #9) > x86 stable > Or not. 04 Jun 2007; Christian Faulhammer <opfer@gentoo.org> ChangeLog: stable x86, security bug 178851 fauli@gentoo.org 2007-06-05 05:11:46 0000 I stabled the wrong version, sorry for that. x86 done again falco@gentoo.org 2007-06-10 18:16:59 0000 it was 200705-23 combined with bug 176675 caster@gentoo.org 2007-06-10 18:31:49 0000 (In reply to comment #12) > it was 200705-23 combined with bug 176675 But that wasn't dealing with 1.6 JDK, because we didn't have fixed version available that time. jaervosz@gentoo.org 2007-06-11 06:41:11 0000 Caster are we still waiting for upstream on 1.6? We'll close this one once we have an unstable ebuild for 1.6. caster@gentoo.org 2007-06-11 08:59:56 0000 (In reply to comment #14) > Caster are we still waiting for upstream on 1.6? No. > We'll close this one once we have an unstable ebuild for 1.6. You might want to do glsa because vulnerable version was stable on x86 (and now the fixed one is stable, see comment 11) Vulnerable that was stable: dev-java/sun-jre-bin-1.6.0-r1 Fixed that is stable: dev-java/sun-jre-bin-1.6.0.01-r1 jaervosz@gentoo.org 2007-06-16 06:56:01 0000 Security please comment on GLSA need. py@gentoo.org 2007-06-20 08:25:39 0000 we released glsa 200705-23 for a similar issue, so I guess we should have another one for this. jaervosz@gentoo.org 2007-07-01 02:17:52 0000 Security please vote. aetius@gentoo.org 2007-07-02 21:25:01 0000 I vote yes, we glsa'd the JPEG/BMP one, this is basically the same thing. caster@gentoo.org 2007-07-02 21:32:24 0000 You can do the GLSA together with bug 183580 which is same package different slot (maybe I didn't have to open extra bug for it anyways...) jaervosz@gentoo.org 2007-07-15 07:24:02 0000 Voting YES. vorlon@gentoo.org 2007-09-11 11:21:35 0000 changing product/component please file security bugs in the Gentoo Security product rbu@gentoo.org 2008-03-31 19:05:43 0000 I would close this bug without a GLSA because the GLSA has been updated more than half a year ago: ---------------------------- revision 1.2 date: 2007-06-05 16:24:43 +0200; author: falco; state: Exp; lines: +4 -3; commitid: 72f7466571f24567; add the 1.6.x branch of sun-jre-bin since it had been stabilized on x86 just a few days before the glsa was sent. ---------------------------- --- glsa-200705-23.xml 31 May 2007 18:12:05 -0000 1.1 +++ glsa-200705-23.xml 5 Jun 2007 14:24:43 -0000 1.2 @@ -11,7 +11,7 @@ </synopsis> <product type="ebuild">sun-jdk,sun-jre-bin</product> <announced>May 31, 2007</announced> - <revised>May 31, 2007: 01</revised> + <revised>June 05, 2007: 02</revised> <bug>176675</bug> <bug>178851</bug> <access>remote</access> @@ -22,9 +22,10 @@ <vulnerable range="lt">1.5.0.11</vulnerable> </package> <package name="dev-java/sun-jre-bin" auto="yes" arch="*"> - <unaffected range="ge">1.5.0.11</unaffected> + <unaffected range="rge">1.5.0.11</unaffected> <unaffected range="rge">1.4.2.14</unaffected> - <vulnerable range="lt">1.5.0.11</vulnerable> + <unaffected range="ge">1.6.0.01</unaffected> + <vulnerable range="lt">1.6.0.01</vulnerable> </package> </affected> <background> rbu@gentoo.org 2008-03-31 19:09:34 0000 Oh wait, that did not deal with the JDK. Assuming that was affected, it needs to get GLSA'd. rbu@gentoo.org 2008-04-17 23:43:35 0000 GLSA 200804-20, sorry for the long delay.