72750 2004-11-28 10:54 0000 kde-base/kdebase Konqueror Java vulnerabilities 2006-03-23 19:17:38 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.kde.org/info/security/advisory-20041220-1.txt A2 [glsa] jaervosz P2 normal --- 73759 73795 75204 1 jaervosz@gentoo.org security@gentoo.org bugreports@tittel.net kde@gentoo.org roger55@gentoo.org jaervosz@gentoo.org 2004-11-28 10:54:18 0000 Konqueror 3.3.1 with sun-jdk 1.4.2_06 is listed as vulnerable according to the heise test: http://www.heise.de/security/dienste/browsercheck/tests/java.shtml jaervosz@gentoo.org 2004-11-29 02:05:02 0000 kde please test and confirm (remember blackdown on a web browser) asap. jaervosz@gentoo.org 2004-11-29 03:00:15 0000 tested with blackdown-jdk-1.4.2_01 and konqueror 3.3.1 and it is listed as vulnerable too. carlo@gentoo.org 2004-11-29 06:26:37 0000 It is a test for the Java sandbox bypassing issue, you could read about lately everywhere. This has nothing to do with any special browser. >=sun-jdk 1.4.2_06 and blackdown-jdk-1.4.2_01 (Bug 72221) are the safe versions. I did not try blackdown, but the "Sie k carlo@gentoo.org 2004-11-29 06:26:37 0000 It is a test for the Java sandbox bypassing issue, you could read about lately everywhere. This has nothing to do with any special browser. >=sun-jdk 1.4.2_06 and blackdown-jdk-1.4.2_01 (Bug 72221) are the safe versions. I did not try blackdown, but the "Sie können dies >hier< testen" popup with the text "Sieht gut aus, der Versuch lieferte einen Fehler: undefined" means that you're fine. jaervosz@gentoo.org 2004-11-29 07:36:06 0000 I'm getting "Sie jaervosz@gentoo.org 2004-11-29 07:36:06 0000 I'm getting "Sie sind verwundbar: [object Object ref=11299397]" with 1.4.2-01 from Blackdown Java-Linux Team according to the version string on heise.de. jaervosz@gentoo.org 2004-11-29 10:01:21 0000 Same with 1.4.2_06 from Sun Microsystems Inc. it gives "Sie jaervosz@gentoo.org 2004-11-29 10:01:21 0000 Same with 1.4.2_06 from Sun Microsystems Inc. it gives "Sie sind verwundbar: [object Object ref=5218268]" However this test: http://bcheck.scanit.be/bcheck/ seems to claim that konqueror is clean with both Blackdown and Sun jdk. langthang@gentoo.org 2004-11-29 10:57:57 0000 I get "Sieht gut aus, der Versuch lieferte einen Fehler: undefined" with blackdown-jdk-1.4.2.01. carlo@gentoo.org 2004-11-29 11:13:54 0000 Um, after having a look at my konqueror config and replacing /opt/sun-jdk-1.4.2.05/bin/java with the correct path /opt/sun-jdk-1.4.2.06/bin/java, I can reproduce your results, Sune. My main browser is Firebird, so I guess I muddled the Java is active samples from the one browser with the test of the other... Tuan, same for you? roger55@gentoo.org 2004-11-29 11:38:51 0000 Results with konqueror 3.3.1 and dev-java/blackdown-jdk-1.4.2.01 : On the heise.de site: First the test said vulnerable, I adjusted the java path, then it said invulnerable once (maybe the page wasn't fully loaded?), then vulnerable again. The http://bcheck.scanit.be/bcheck/ reports no vulnerabilities. jg@cms.ac 2004-11-29 12:13:35 0000 installed/used software: konqueror: v3.3.1 firefox: 1.0 dev-java/sun-jdk-1.4.2.06 dev-java/blackdown-jdk-1.4.1 dev-java/blackdown-jre-1.4.1 settings in konqueror: enable java globally is set. path to java executable, or 'java': will change in every test. testing: both the heise and bcheck tests plugin-settings untouched. i always restarted knqueror between each test and config change. test 1) path to java executable: /opt/blackdown-jdk-1.4.1/bin/java expected results: vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) test 2) path to java executable: /opt/blackdown-jre-1.4.1/bin/java expected results: vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) test 3) path to java executable: /opt/sun-jdk-1.4.2.06/bin/java expected results: NOT vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) ----- plugin settings: under plugins i still have the old paths that are expected to be vulnerable: /opt/sun-jdk-1.4.2.04/jre/plugin/i386/ns610-gcc32/ /opt/sun-jdk-1.4.2.04/jre/plugin/i386 scanning for new plugins doesn't remove them (of course...). i removed those old paths and did NOT enter the new ones for now. test 4) path to java executable: /opt/sun-jdk-1.4.2.06/bin/java expected results: NOT vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) i now entered the new paths for the plugins: /opt/sun-jdk-1.4.2.06/bin/java test 5) path to java executable: /opt/sun-jdk-1.4.2.06/bin/java expected results: NOT vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) entering "about:plugins" in the location bar, konqueror says: Java Plug-in | Java Plug-in KJAS for Konqueror | kjavaappletviewer.so removing this shared object file renders java unusable (heise reports deactivated). deactivating plugins globally doesn't help either. the heise test still reports vulnerable. i think it could be related to the kjavaappletviewer.so file. any kde pros here? i'll recompile kdelibs (will take 1-2h), maybe the kjava* stuff is linked to some java version during compilation? --- last tests for now: emerge latest blackdown* versions - rerunning the heise test still says vulnerable (though correct sun-jdk path). BUT: ==== moving all vulnerable java-versions (sun, blackdown) from /opt to /tmp did help! heise now says: NOT vulnerable: undefined. (bcheck still doesn't report anything, i won't check this test anymore) JG jg@cms.ac 2004-11-29 13:07:33 0000 well, i did not recompile kdelibs yet. but i can confirm comment #8. my system still reports "vulnerable" although i moved all older java-versions to /tmp. if i click the link *before* the page is fully loaded it says "undefined" afterwards: "vulnerable" JG carlo@gentoo.org 2004-11-30 05:12:42 0000 http://bugs.kde.org/show_bug.cgi?id=94164 michael.mauch@gmx.de 2004-11-30 08:25:16 0000 I unemerged all vulnerable Java versions, then re-emerged kdelibs and even rebooted: the Heise test still says "vulnerable". jaervosz@gentoo.org 2004-12-06 09:22:49 0000 Still nothing from upstream. carlo@gentoo.org 2004-12-09 08:52:44 0000 According to Stepan Kulow, this is fixed with KDE 3.3.2. Caleb, Motaboy, anyone else: I'm still not subscribed to any kde lists, do you have more information about the issue? Do we have to backport for 3.2.3? caleb@gentoo.org 2004-12-09 09:31:37 0000 I haven't seen anything from any list about this as a vulnerability. carlo@gentoo.org 2004-12-09 10:03:00 0000 Well, I did not try to write a real exploit, but it looks similar to Opera's recent Java sandbox problem, just revealed by the tests for the other Java sandbox issue and thanks to Sune, testing Konqueror. I'll ask Stephen. jaervosz@gentoo.org 2004-12-09 11:27:41 0000 kde please confirm if this is fixed with 3.3.2? carlo@gentoo.org 2004-12-11 07:45:55 0000 Sune, the result is now "Sie sind verwundbar: undefined" so it seems this is not a problem anymore. I just don't have any information on the quality of the problem and the fix itself causes a new problem. I reopened the above kde.org bug report, please follow it for more information. caleb@gentoo.org 2004-12-19 06:06:06 0000 This is fixed with 3.3.2. A fix will is made available for 3.2.3, which I will attempt to get into portage soon, but it's a bit complicated. jaervosz@gentoo.org 2004-12-20 06:28:58 0000 Caleb please provide an updated ebuild. caleb@gentoo.org 2004-12-20 06:31:12 0000 3.2.3 will be fixed as soon as I can (tonight). There is no fix for 3.3.1 other than to upgrade to 3.3.2, unfortunately. jaervosz@gentoo.org 2004-12-20 08:42:26 0000 Caleb it would be really nice if 3.3.2 is ready to go stable to fix this one. caleb@gentoo.org 2004-12-27 07:17:47 0000 Going to bump 3.3.2 to stable shortly (x86) - this is the recommended fix for this bug. jaervosz@gentoo.org 2004-12-27 10:34:41 0000 Thx Caleb. Arches please mark stable: kde-base/arts-1.3.2 kde-base/kdelibs-3.3.2-r1 kde-base/kdebase-3.3.2-r1 kde-base/kdepim-3.3.2 kde-base/kdegraphics-3.3.2-r1 kde-base/kdenetwork-3.3.2 kde-base/kdeaccessibility-3.3.2 kde-base/kdewebdev-3.3.2 kde-base/kdeadmin-3.3.2 kde-base/kdeartwork-3.3.2 kde-base/kdeutils-3.3.2 kde-base/kdemultimedia-3.3.2 kde-base/kdeaddons-3.3.2 kde-base/kdetoys-3.3.2 kde-base/kdeedu-3.3.2 kde-base/kdegames-3.3.2 kde-base/kde-3.3.2 kloeri@gentoo.org 2004-12-29 11:39:28 0000 Stable on alpha. hardave@gentoo.org 2005-01-01 13:36:28 0000 Does this bug affect archs, such as mips, that do not have a java implementation? jaervosz@gentoo.org 2005-01-03 04:15:34 0000 Hardave 3.3.2 also fixes xpdf issues for kde 3.3.1. See bug 75204 jaervosz@gentoo.org 2005-01-03 12:03:01 0000 Arches please mark kdelibs-3.3.2-r2 instead of -r1 (fix for bug #73759) gmsoft@gentoo.org 2005-01-03 16:49:32 0000 Stable on hppa. cryos@gentoo.org 2005-01-03 19:58:54 0000 All ebuilds mentioned in comments 24 and 28 are already stable on amd64. pvdabeel@gentoo.org 2005-01-05 10:02:37 0000 ppc done gustavoz@gentoo.org 2005-01-05 14:22:59 0000 Currently arts is broken for sparc, the problem being on kde 3.3.2 is breaks kicker. It's been broken since kde 3.2.x, but it never broke other stuff, except from the annoying arts startup problem messages. I'm currently rebuilding kdelibs/base without arts support to check if masking arts would solve this. Once this is done i'll mask arts in the sparc profiles and then bump all the kde* stuff, hopefully for tomorrow morning. Sorry for the delay on this, but i'm short on horsepower to build stuff, basically my box is just 7% idle for a cumulative uptime of 9 days, doing GLSAs, releng and porting stuff. jaervosz@gentoo.org 2005-01-11 05:17:37 0000 GLSA 200501-17 This bug will stay open until sparc has a stable version at which time the GLSA will be updated. weeve@gentoo.org 2005-01-11 19:51:16 0000 Stable on sparc jaervosz@gentoo.org 2005-01-11 22:34:23 0000 sparc stable closing with GLSA 200501-16 ia64 and mips remember to mark stable to benifit from the GLSA.