Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 178575 - dev-java/sun-jdk-1.6.0* and dev-java/sun-jre-bin-1.6.0* internal copy of libpng is vulnerable to CVE-2006-5793
Summary: dev-java/sun-jdk-1.6.0* and dev-java/sun-jre-bin-1.6.0* internal copy of libp...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.sun.com/bugdatabase/view_...
Whiteboard: B3 [noglsa]
Keywords: PMASKED
Depends on:
Blocks: 177842 179162 java-security
  Show dependency tree
 
Reported: 2007-05-14 21:41 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2014-06-10 23:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2007-05-14 21:41:29 UTC
As per summary, with the disclosure of OpenJDK sources we can confirm that the libpng copy on it is not patched to fix the vulnerability in summary (CVE-2006-5793), which makes its splashscreen support vulnerable to that issue.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-15 06:46:10 UTC
java please advise and bump as necessary.
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-05-15 07:48:13 UTC
Cannot bump, upstream has to confirm the bug first (Diego please post upstream URL when they accept it) and hopefully fix it. How do you know it affects also 1.6? OpenJDK is 1.7. What about 1.5 or even 1.4? :)
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-05-15 10:33:46 UTC
From a reply of Phil Race on awt-dev:

> libgif and libpng are only in JDK since 1.6, and the same is
> true for splashscreen's use of openjdk so there's not too
> much history there to worry about yet.

The code of libpng released with OpenJDK is not patched, so I don't think they patched the 1.6 release either, they didn't seem to know about it to begin with.
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-05-15 19:40:34 UTC
Hm and just recently we asked for the JRE to go stable, and x86 already did it.
But if I understand correctly, it will just crash the JVM when starting some app with malicious splash screen? And no execution of code?
Comment 5 Martin Capitanio 2007-05-17 06:58:44 UTC
(In reply to comment #4)
> app with malicious splash screen? And no execution of code?

http://scary.beasts.org/security/CESA-2006-004.html

Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06.

gentoo>java -version
1.6.0-b105 ???
1.5.0_11-b03

_Reported date: October 2006._
Advisory release date: May 15th 2007.

"This, on Linux, causes the image parsing thread to hang whilst trying to read from /dev/tty."
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-05-17 09:43:12 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > app with malicious splash screen? And no execution of code?
> 
> http://scary.beasts.org/security/CESA-2006-004.html

That's different issue, I've created bug 178851 for it, thanks for reporting!
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-05-18 16:39:51 UTC
The bug report was accepted by Sun, but it will take a day or two before being visible at the URL I just added to the report.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 22:32:33 UTC
Handling 179162 on bug #179162.
Comment 9 Petteri Räty (RETIRED) gentoo-dev 2007-06-02 16:21:27 UTC
sun released u1 so x86 please mark sun-jre-bin-1.6.0.1 stable
Comment 10 Petteri Räty (RETIRED) gentoo-dev 2007-06-02 16:32:43 UTC
(In reply to comment #9)
> sun released u1 so x86 please mark sun-jre-bin-1.6.0.1 stable
> 

Take that back. This issue is not fixed with u1.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-01 02:17:21 UTC
Petteri, any news on this one?
Comment 12 Petteri Räty (RETIRED) gentoo-dev 2007-07-01 08:25:36 UTC
(In reply to comment #11)
> Petteri, any news on this one?
> 

It will take a while before Sun is able to react to this. Hopefully in time for u2 but I am betting u3.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-21 06:16:01 UTC
Petteri, any news on this one?
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-07 19:49:20 UTC
Petteri, any news on this one?
Comment 15 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-11-08 06:19:40 UTC
The upstream bug is still not public. We should be asking Diego if he got any response...
Comment 16 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-11-08 10:54:47 UTC
The bug is private to me too, I had no direct response though.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 23:47:52 UTC
"This bug is not available." -- is there any update available here? If not, we should contact the Sun people.
Comment 18 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-07 18:46:13 UTC
Any news available here? Any comments from upstream?
Comment 19 Matti Bickel (RETIRED) gentoo-dev 2008-12-26 23:03:40 UTC
A year and half old bug and still no upstream fix? What's going on here?
Comment 20 Andrew John Hughes 2008-12-31 11:18:15 UTC
Note that this doesn't affect icedtea6 as it fixes Sun's build system to link against the system libpng.
Comment 21 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-02-19 12:41:32 UTC
Seems to me sun-jdk-1.6 still uses libpng 1.2.8:

caster@macpro /opt/sun-jdk-1.6.0.18/jre/lib/amd64 $ objdump -FD libsplashscreen.so | grep -A 5 png_libpng_ver
000000000002f5f0 <png_libpng_ver> (File Offset: 0x2f5f0):
   2f5f0:       31 2e                   xor    %ebp,(%rsi)
   2f5f2:       32 2e                   xor    (%rsi),%ch
   2f5f4:       38 00                   cmp    %al,(%rax)
        ...

(the symbol is a normal C string which I read "1.2.8")

which is a shame, as openjdk seems to use 1.2.18 and the affected versions are libpng 1.0.6 through 1.2.12 according to the CVE
Comment 22 Ralph Sennhauser (RETIRED) gentoo-dev 2012-09-28 15:26:58 UTC
1.2.8 is still used in sun-jdk-1.6.0.35 whether patched or not. oracle-jdk-bin-1.7.0.7 is using libpng 1.5.4 instead.
Comment 23 Sergey Popov gentoo-dev 2013-11-25 16:43:48 UTC
sun-jdk and sun-jre-bin are PMASKED
Comment 24 Sean Amoss (RETIRED) gentoo-dev Security 2014-06-10 23:42:15 UTC
Packages are masked and all users were advised to switch to Oracle packages in GLSA 201401-30.