Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Konqueror 3.3.1 with sun-jdk 1.4.2_06 is listed as vulnerable according to the heise test: http://www.heise.de/security/dienste/browsercheck/tests/java.shtml
kde please test and confirm (remember blackdown on a web browser) asap.
tested with blackdown-jdk-1.4.2_01 and konqueror 3.3.1 and it is listed as vulnerable too.
It is a test for the Java sandbox bypassing issue, you could read about lately everywhere. This has nothing to do with any special browser. >=sun-jdk 1.4.2_06 and blackdown-jdk-1.4.2_01 (Bug 72221) are the safe versions. I did not try blackdown, but the "Sie k
It is a test for the Java sandbox bypassing issue, you could read about lately everywhere. This has nothing to do with any special browser. >=sun-jdk 1.4.2_06 and blackdown-jdk-1.4.2_01 (Bug 72221) are the safe versions. I did not try blackdown, but the "Sie können dies >hier< testen" popup with the text "Sieht gut aus, der Versuch lieferte einen Fehler: undefined" means that you're fine.
I'm getting "Sie
I'm getting "Sie sind verwundbar: [object Object ref=11299397]" with 1.4.2-01 from Blackdown Java-Linux Team according to the version string on heise.de.
Same with 1.4.2_06 from Sun Microsystems Inc. it gives "Sie
Same with 1.4.2_06 from Sun Microsystems Inc. it gives "Sie sind verwundbar: [object Object ref=5218268]" However this test: http://bcheck.scanit.be/bcheck/ seems to claim that konqueror is clean with both Blackdown and Sun jdk.
I get "Sieht gut aus, der Versuch lieferte einen Fehler: undefined" with blackdown-jdk-1.4.2.01.
Um, after having a look at my konqueror config and replacing /opt/sun-jdk-1.4.2.05/bin/java with the correct path /opt/sun-jdk-1.4.2.06/bin/java, I can reproduce your results, Sune. My main browser is Firebird, so I guess I muddled the Java is active samples from the one browser with the test of the other... Tuan, same for you?
Results with konqueror 3.3.1 and dev-java/blackdown-jdk-1.4.2.01 : On the heise.de site: First the test said vulnerable, I adjusted the java path, then it said invulnerable once (maybe the page wasn't fully loaded?), then vulnerable again. The http://bcheck.scanit.be/bcheck/ reports no vulnerabilities.
installed/used software: konqueror: v3.3.1 firefox: 1.0 dev-java/sun-jdk-1.4.2.06 dev-java/blackdown-jdk-1.4.1 dev-java/blackdown-jre-1.4.1 settings in konqueror: enable java globally is set. path to java executable, or 'java': will change in every test. testing: both the heise and bcheck tests plugin-settings untouched. i always restarted knqueror between each test and config change. test 1) path to java executable: /opt/blackdown-jdk-1.4.1/bin/java expected results: vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) test 2) path to java executable: /opt/blackdown-jre-1.4.1/bin/java expected results: vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) test 3) path to java executable: /opt/sun-jdk-1.4.2.06/bin/java expected results: NOT vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) ----- plugin settings: under plugins i still have the old paths that are expected to be vulnerable: /opt/sun-jdk-1.4.2.04/jre/plugin/i386/ns610-gcc32/ /opt/sun-jdk-1.4.2.04/jre/plugin/i386 scanning for new plugins doesn't remove them (of course...). i removed those old paths and did NOT enter the new ones for now. test 4) path to java executable: /opt/sun-jdk-1.4.2.06/bin/java expected results: NOT vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) i now entered the new paths for the plugins: /opt/sun-jdk-1.4.2.06/bin/java test 5) path to java executable: /opt/sun-jdk-1.4.2.06/bin/java expected results: NOT vulnerable results: heise: vulnerable bcheck: test1 (java): no result (0 vulnerabilities) entering "about:plugins" in the location bar, konqueror says: Java Plug-in | Java Plug-in KJAS for Konqueror | kjavaappletviewer.so removing this shared object file renders java unusable (heise reports deactivated). deactivating plugins globally doesn't help either. the heise test still reports vulnerable. i think it could be related to the kjavaappletviewer.so file. any kde pros here? i'll recompile kdelibs (will take 1-2h), maybe the kjava* stuff is linked to some java version during compilation? --- last tests for now: emerge latest blackdown* versions - rerunning the heise test still says vulnerable (though correct sun-jdk path). BUT: ==== moving all vulnerable java-versions (sun, blackdown) from /opt to /tmp did help! heise now says: NOT vulnerable: undefined. (bcheck still doesn't report anything, i won't check this test anymore) JG
well, i did not recompile kdelibs yet. but i can confirm comment #8. my system still reports "vulnerable" although i moved all older java-versions to /tmp. if i click the link *before* the page is fully loaded it says "undefined" afterwards: "vulnerable" JG
http://bugs.kde.org/show_bug.cgi?id=94164
I unemerged all vulnerable Java versions, then re-emerged kdelibs and even rebooted: the Heise test still says "vulnerable".
Still nothing from upstream.
According to Stepan Kulow, this is fixed with KDE 3.3.2. Caleb, Motaboy, anyone else: I'm still not subscribed to any kde lists, do you have more information about the issue? Do we have to backport for 3.2.3?
I haven't seen anything from any list about this as a vulnerability.
Well, I did not try to write a real exploit, but it looks similar to Opera's recent Java sandbox problem, just revealed by the tests for the other Java sandbox issue and thanks to Sune, testing Konqueror. I'll ask Stephen.
kde please confirm if this is fixed with 3.3.2?
Sune, the result is now "Sie sind verwundbar: undefined" so it seems this is not a problem anymore. I just don't have any information on the quality of the problem and the fix itself causes a new problem. I reopened the above kde.org bug report, please follow it for more information.
This is fixed with 3.3.2. A fix will is made available for 3.2.3, which I will attempt to get into portage soon, but it's a bit complicated.
Caleb please provide an updated ebuild.
3.2.3 will be fixed as soon as I can (tonight). There is no fix for 3.3.1 other than to upgrade to 3.3.2, unfortunately.
Caleb it would be really nice if 3.3.2 is ready to go stable to fix this one.
Going to bump 3.3.2 to stable shortly (x86) - this is the recommended fix for this bug.
Thx Caleb. Arches please mark stable: kde-base/arts-1.3.2 kde-base/kdelibs-3.3.2-r1 kde-base/kdebase-3.3.2-r1 kde-base/kdepim-3.3.2 kde-base/kdegraphics-3.3.2-r1 kde-base/kdenetwork-3.3.2 kde-base/kdeaccessibility-3.3.2 kde-base/kdewebdev-3.3.2 kde-base/kdeadmin-3.3.2 kde-base/kdeartwork-3.3.2 kde-base/kdeutils-3.3.2 kde-base/kdemultimedia-3.3.2 kde-base/kdeaddons-3.3.2 kde-base/kdetoys-3.3.2 kde-base/kdeedu-3.3.2 kde-base/kdegames-3.3.2 kde-base/kde-3.3.2
Stable on alpha.
Does this bug affect archs, such as mips, that do not have a java implementation?
Hardave 3.3.2 also fixes xpdf issues for kde 3.3.1. See bug 75204
Arches please mark kdelibs-3.3.2-r2 instead of -r1 (fix for bug #73759)
Stable on hppa.
All ebuilds mentioned in comments 24 and 28 are already stable on amd64.
ppc done
Currently arts is broken for sparc, the problem being on kde 3.3.2 is breaks kicker. It's been broken since kde 3.2.x, but it never broke other stuff, except from the annoying arts startup problem messages. I'm currently rebuilding kdelibs/base without arts support to check if masking arts would solve this. Once this is done i'll mask arts in the sparc profiles and then bump all the kde* stuff, hopefully for tomorrow morning. Sorry for the delay on this, but i'm short on horsepower to build stuff, basically my box is just 7% idle for a cumulative uptime of 9 days, doing GLSAs, releng and porting stuff.
GLSA 200501-17 This bug will stay open until sparc has a stable version at which time the GLSA will be updated.
Stable on sparc
sparc stable closing with GLSA 200501-16 ia64 and mips remember to mark stable to benifit from the GLSA.
