Bug 186277 - dev-java/{ibm-jdk-bin|ibm-jre-bin}-{1.4.2.8|1.5.0.5} affected by GLSA 200705-23
Bug#: 186277 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: caster@gentoo.org
Component: Vulnerabilities
URL:  http://scary.beasts.org/security/CESA-2006-004.html
Summary: dev-java/{ibm-jdk-bin|ibm-jre-bin}-{1.4.2.8|1.5.0.5} affected by GLSA 200705-23
Keywords:  
Status Whiteboard: B4? [glsa]
Opened: 2007-07-22 21:57 0000
Description:   Opened: 2007-07-22 21:57 0000 
At least on my x86, the testcases found at $URL are crashing it similarly to
Sun JDK (bug 178851, I think IBM licenses most of their code anyway).

I'm bumping to 1.4.2.9 which I found to be released and that has it apparently
fixed (safe java exception about bad ICC data instead of crash). But we'll need
to wait for update of the 1.5 slot.

------- Comment #1 From Vlastimil Babka (Caster) 2007-07-22 22:10:09 0000 ------- 
Arches please stabilize:
dev-java/ibm-jdk-bin-1.4.2.9
dev-java/ibm-jre-bin-1.4.2.9

Sorry to amd64 which just stabilized 1.4.2.8 before I found out about the new
one :)
You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with
IBM accounts.

------- Comment #2 From Christian Faulhammer 2007-07-23 07:48:37 0000 ------- 
(In reply to comment #1)
> You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with
> IBM accounts.

 To be honest: This type of download restriction is a fucking piece of shit and
I just hate it.  If I ever meet the responsible person I will hit him/her hard
in the face.

x86 stable

------- Comment #3 From Markus Rothe 2007-07-25 05:27:04 0000 ------- 
ppc64 stable

------- Comment #4 From Tobias Scherbaum 2007-07-27 22:56:02 0000 ------- 
ppc stable

------- Comment #5 From Steve Dibb 2007-08-12 14:36:40 0000 ------- 
amd64 stable

------- Comment #6 From Vlastimil Babka (Caster) 2007-08-21 10:13:08 0000 ------- 
OK, so IBM released 1.5.0.5a which is just security fixes and apparently fixes
this one vulnerability.

Added to tree, arches please stabilize:
dev-java/ibm-jdk-bin-1.5.0.5a
dev-java/ibm-jre-bin-1.5.0.5a

Note that jre SLOT 1.5 was not stable yet, but 1) 1.5.0.5 was there in ~arch
for two months and 1.5.0.5a is only security fix (according to changelog) and
2) jre is just a subset of jdk which is stable, so I think there's no need to
wait 30 days.
You can get the distfiles again per comment 1. (i'm still uploading tho so you
might have to wait if you are too fast :)

------- Comment #7 From Christian Faulhammer 2007-08-21 18:04:41 0000 ------- 
x86 stable

------- Comment #8 From Tobias Scherbaum 2007-08-22 16:00:47 0000 ------- 
ppc stable

------- Comment #9 From Markus Rothe 2007-08-29 10:11:18 0000 ------- 
ppc64 stable

------- Comment #10 From Steve Dibb 2007-09-08 01:23:13 0000 ------- 
amd64 stable

------- Comment #11 From Vlastimil Babka (Caster) 2007-09-08 01:46:56 0000 ------- 
Which was last arch.

------- Comment #12 From Matt Drew 2007-09-09 22:23:48 0000 ------- 
I'll vote yes - the linked URL is talking about exploitable buffer overflows.

------- Comment #13 From Pierre-Yves Rofes 2007-09-12 08:37:10 0000 ------- 
voting yes too, maybe combined with the sun jdk/jre draft.

------- Comment #14 From Robert Buchholz 2008-06-26 13:06:55 0000 ------- 
GLSA 200806-11