Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554886 (CVE-2015-2590) - dev-java/oracle-{jdk,jre}-bin-1.8.0.51: Multiple vulnerabilities (CVE-2015-{2590,2601,2613,2619,2621,2625,2627,2628,2632,2637,2638,2659,2664,2808,4000,4729,4731,4732,4733,4736,4748,4760})
Summary: dev-java/oracle-{jdk,jre}-bin-1.8.0.51: Multiple vulnerabilities (CVE-2015-{2...
Status: RESOLVED FIXED
Alias: CVE-2015-2590
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://blog.trendmicro.com/trendlabs-...
Whiteboard: A2 [glsa cve]
Keywords:
: 554930 555022 556022 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-07-14 12:10 UTC by Alexander Bezrukov
Modified: 2016-03-12 12:41 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bezrukov 2015-07-14 12:10:05 UTC
Researchers from Trend Micro found a new exploit hosted on some web-servers on the Internet, which allows for arbitrary code execution (driven by download). 1.8.0.45 is affected, j{dk,re}-1.7* are not. While payload being distributed is targeting Windows computers, it is unclear whether the vulnerability allowing for execution of arbitrary code exists in JRE/JDK distriburion for other OSes too, or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-14 12:23:42 UTC
(In reply to Alexander Bezrukov from comment #0)
> Researchers from Trend Micro found a new exploit hosted on some web-servers
> on the Internet, which allows for arbitrary code execution (driven by
> download). 1.8.0.45 is affected, j{dk,re}-1.7* are not. While payload being
> distributed is targeting Windows computers, it is unclear whether the
> vulnerability allowing for execution of arbitrary code exists in JRE/JDK
> distriburion for other OSes too, or not.

Thanks for the report. Since this source (${URL}) is public, is there a reason for submitting it as a classified / restricted bug report? or should this bug be made public?
Comment 2 Alexander Bezrukov 2015-07-14 12:35:25 UTC
(In reply to Kristian Fiskerstrand from comment #1)
> Thanks for the report. Since this source (${URL}) is public, is there a
> reason for submitting it as a classified / restricted bug report? or should
> this bug be made public?

Perhaps it should be made public. AFAIK, there is no CVE assigned yet and Oracle is silent about this vulnerability. So marking it private I shifted the responsibility for this to Gentoo security :)
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-14 12:42:54 UTC
(In reply to Alexander Bezrukov from comment #2)
> (In reply to Kristian Fiskerstrand from comment #1)
> > Thanks for the report. Since this source (${URL}) is public, is there a
> > reason for submitting it as a classified / restricted bug report? or should
> > this bug be made public?
> 
> Perhaps it should be made public. AFAIK, there is no CVE assigned yet and
> Oracle is silent about this vulnerability. So marking it private I shifted
> the responsibility for this to Gentoo security :)

Thanks for the clarification. Since the source is public I'm lifting the restriction.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-15 10:18:40 UTC
*** Bug 554930 has been marked as a duplicate of this bug. ***
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-15 10:19:36 UTC
This issue is adressed in java-8u51
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-16 09:10:45 UTC
*** Bug 555022 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-16 09:12:18 UTC
Please state the package name entirely or everyone will file a duplicate.
Comment 8 wyvern5 2015-07-25 20:06:38 UTC
1.8u51 has been out for a while; when can we expect to see ebuilds? Thanks!
Comment 9 James Le Cuirot gentoo-dev 2015-07-25 20:50:43 UTC
(In reply to wyvern5 from comment #8)
> 1.8u51 has been out for a while; when can we expect to see ebuilds? Thanks!

I was overseas for my grandfather's funeral when this came up. I have also taken the opportunity to address many issues with the current ebuild, some of which has resulted in bugs being filed. I have been working on it all week and hope to finish it tonight or tomorrow.
Comment 10 James Le Cuirot gentoo-dev 2015-07-26 22:37:26 UTC
I think the ebuilds are ready now but there's been some USE flag changes that will require me to adjust several Portage profiles. They really need cleaning up anyway; several still refer to sun-jdk and sun-jre, for example. It's late now and I don't want to risk fucking this up so I'll wait till tomorrow.
Comment 11 James Le Cuirot gentoo-dev 2015-07-27 11:51:03 UTC
*** Bug 556022 has been marked as a duplicate of this bug. ***
Comment 12 James Le Cuirot gentoo-dev 2015-07-29 12:53:31 UTC
Job done. Arch teams, please stabilize:

dev-java/oracle-jdk-bin-1.8.0.51
dev-java/oracle-jre-bin-1.8.0.51
dev-java/java-sdk-docs-1.8.0.51
Comment 13 Agostino Sarubbo gentoo-dev 2015-07-30 09:56:55 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-30 09:58:44 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 James Le Cuirot gentoo-dev 2015-07-30 10:12:58 UTC
Clean up done.
Comment 16 Patrice Clement gentoo-dev 2015-08-14 18:30:04 UTC
ping
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 03:59:40 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 12:41:00 UTC
This issue was resolved and addressed in
 GLSA 201603-11 at https://security.gentoo.org/glsa/201603-11
by GLSA coordinator Kristian Fiskerstrand (K_F).