Bug 178851 - dev-java/{sun-jdk|sun-jre-bin} 1.6.0* image parsing library vulnerabilities (ICC parsing, BMP parsing) (CVE-2007-2788, CVE-2007-2789)
|
Bug#:
178851
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: caster@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://scary.beasts.org/security/CESA-2006-004.html
|
|
Summary: dev-java/{sun-jdk|sun-jre-bin} 1.6.0* image parsing library vulnerabilities (ICC parsing, BMP parsing) (CVE-2007-2788, CVE-2007-2789)
|
|
Keywords:
|
|
Status Whiteboard: B2? [glsa+] jaervosz
|
|
Opened: 2007-05-17 09:42 0000
|
Originally reported by Martin Capitanio <gentoo-bug@capitanio.org> in bug
178575.
Programs affected: JDK 1.5.0_07-b03 and others.
Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06.
Severity: Probable remote compromise of systems which use the vulnerable JDK
APIs to parse images.
We already have 1.5.0.11 stabled so that's fine but we need to finally get them
to release 1.6.0_01 under DLJ.
Handling app-emulation/emul-linux-x86-java on bug 178962.
*** Bug 179155 has been marked as a duplicate of this bug. ***
To sum it up, for 1.6 this is probably [upstream] because they didn't release
fixed version under the friendly license yet.
For 1.5 you could glsa it together with 176675 (if that's possible per your
policies?) because the fixed version is the same - 1.5.0.11. But this bug isn't
applicable for 1.4 which is also handled by 176675 so dunno.
Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
stable we (security) don't mind.
(In reply to comment #4)
> Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> stable we (security) don't mind.
But x86 already stabilized 1.6.0 jre
(In reply to comment #6)
> (In reply to comment #4)
> > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> > stable we (security) don't mind.
>
> But x86 already stabilized 1.6.0 jre
>
u1 is out. x86 please mark stable
> u1 is out. x86 please mark stable
Precisely, dev-java/sun-jre-bin-1.6.0.01-r1
I stabled the wrong version, sorry for that. x86 done again
(In reply to comment #12)
> it was 200705-23 combined with bug 176675
But that wasn't dealing with 1.6 JDK, because we didn't have fixed version
available that time.
Caster are we still waiting for upstream on 1.6?
We'll close this one once we have an unstable ebuild for 1.6.
(In reply to comment #14)
> Caster are we still waiting for upstream on 1.6?
No.
> We'll close this one once we have an unstable ebuild for 1.6.
You might want to do glsa because vulnerable version was stable on x86 (and now
the fixed one is stable, see comment 11)
Vulnerable that was stable: dev-java/sun-jre-bin-1.6.0-r1
Fixed that is stable: dev-java/sun-jre-bin-1.6.0.01-r1
Security please comment on GLSA need.
we released glsa 200705-23 for a similar issue, so I guess we should have
another one for this.
I vote yes, we glsa'd the JPEG/BMP one, this is basically the same thing.
You can do the GLSA together with bug 183580 which is same package different
slot (maybe I didn't have to open extra bug for it anyways...)
changing product/component
please file security bugs in the Gentoo Security product
I would close this bug without a GLSA because the GLSA has been updated more
than half a year ago:
----------------------------
revision 1.2
date: 2007-06-05 16:24:43 +0200; author: falco; state: Exp; lines: +4 -3;
commitid: 72f7466571f24567;
add the 1.6.x branch of sun-jre-bin since it had been stabilized on x86 just a
few days before the glsa was sent.
----------------------------
--- glsa-200705-23.xml 31 May 2007 18:12:05 -0000 1.1
+++ glsa-200705-23.xml 5 Jun 2007 14:24:43 -0000 1.2
@@ -11,7 +11,7 @@
</synopsis>
<product type="ebuild">sun-jdk,sun-jre-bin</product>
<announced>May 31, 2007</announced>
- <revised>May 31, 2007: 01</revised>
+ <revised>June 05, 2007: 02</revised>
<bug>176675</bug>
<bug>178851</bug>
<access>remote</access>
@@ -22,9 +22,10 @@
<vulnerable range="lt">1.5.0.11</vulnerable>
</package>
<package name="dev-java/sun-jre-bin" auto="yes" arch="*">
- <unaffected range="ge">1.5.0.11</unaffected>
+ <unaffected range="rge">1.5.0.11</unaffected>
<unaffected range="rge">1.4.2.14</unaffected>
- <vulnerable range="lt">1.5.0.11</vulnerable>
+ <unaffected range="ge">1.6.0.01</unaffected>
+ <vulnerable range="lt">1.6.0.01</vulnerable>
</package>
</affected>
<background>
Oh wait, that did not deal with the JDK. Assuming that was affected, it needs
to get GLSA'd.
GLSA 200804-20, sorry for the long delay.
