Summary: | dev-java/sun-jdk: ebuild insecure temporary file handling | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tavis Ormandy (RETIRED) <taviso> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | java |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B3 [noglsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Tavis Ormandy (RETIRED)
2005-03-24 14:42:54 UTC
ok, patch applied Is this bug Gentoo-ebuild-specific ? Or does it affect every JDK installer ? In which case we should transmit to Sun. luckyduck: you should revbump so that if we issue a GLSA about this we get a "fixed" from version. Koon: it's part of the installation routine from sun (ie, not gentoo's fault), so we should inform upstream? these are also affected: dev-java/sun-jre-bin dev-java/blackdown-jdk dev-java/blackdown-jre the same patch should work can this be done with sed too? don't want to be DEPEND'ing on perl axxo: yep, if you'ld prefer. This works fine: sed -i 's#/tmp/unpack.log#/dev/null\x00\x00\x00\x00\x00\x00#g' $UNPACK_CMD applied to all vulnerable packages/versions. old and vulnerable revisions are removed from the tree, the new revisions which aren't vulnerable are: sun-jdk-1.4.2.07-r1 sun-jdk-1.5.0.02-r1 sun-jre-bin-1.4.2.07-r1 sun-jre-bin-1.5.0.01-r1 blackdown-jdk-1.4.2.01-r2 blackdown-jre-1.4.2.01-r1 there are versions in the tree which don't make use of $UNPACK_CMD at all. i havn't touch these version. Arches please test and mark stable (if possible) blackdown-jdk-1.4.2.01-r2: amd64, ppc?, sparc?, x86 blackdown-jre-1.4.2.01-r1: ppc?, sparc? Jan, please check that the Sun packages have proper keywords. ppc doesn't use blackdown. blackdown-jdk-1.4.2.01-r2 stable on amd64 At last check, there was no blackdown-j*-1.4.2* for SPARC. The latest we have is 1.4.1. Not sure how you want to handle that. i think the keywords are fine now, there was no sparc and no ppc keyword in any of the vulnerable versions. version <=1.4.1 don't make use of this installing scheme and $UNPACK_CMD etc. seems that everything is fine now Removing SPARC then since we aren't affected. This one is ready for GLSA decision. I would vote no... My logic being that upgrading won't solve anything. People with the affected package already installed are not vulnerable to anything. Only people re-installing old versions would be. So I would remove all affected versions and close this one without GLSA. i don't have a right to vote, but i agree. all affected versions aren't in the tree any longer. I agree -> closing without GLSA. |