+++ This bug was initially created as a clone of Bug #178851 +++ Originally reported by Martin Capitanio <gentoo-bug@capitanio.org> in bug 178575. Programs affected: JDK 1.5.0_07-b03 and others. Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06. Severity: Probable remote compromise of systems which use the vulnerable JDK APIs to parse images. We already have 1.5.0.11 stabled so that's fine but we need to finally get them to release 1.6.0_01 under DLJ.
Should be also combined with bug 176675 (which issued glsa for jdk/jre but not the emul package and there's no extra bug for it like this one). Here vulnerable is <=1.5.0.10 and fixed is >1.5.0.11 only, 1.6 is not stable
Hmm, this bug is only about 1.5.0.11, so why does it depend on bug 178851? Also beandog already stabled emul-linux-x86-java-1.5.0.11 and .10 is removed, so this is actually fixed :>
woops, didn't want to remove amd64 from CC
I guess this one is ready for GLSA.
Yeah no need to depend on that bug and CC amd64 anymore.
[GLSA] status since it's a B2, it's in the way...
hlieberman pointed out that the 1.4 branch is affected, too. since it's slotted we need a new package for that. i propose that we get the GLSA for 1.5 out and release/update one for 1.4 asap afterwards
Right, I could reproduce it in 1.4 with the jpg file (bmp seems to use something unsupported so it just gives safe java backtrace). But that's the latest version available, so we need a release first and then ebuild. Now the real not funny part - it's crashing also ibm-jdk-bin 1.4 + 1.5 and jrockit-jdk-bin 1.4 + 1.5. We are all doomed.
what do you want amd64 to do?
(In reply to comment #9) > what do you want amd64 to do? You're listed as (co)maintainer <pkgmetadata> <herd>amd64</herd> <herd>java</herd> <maintainer> <email>herbs@gentoo.org</email> </maintainer> </pkgmetadata>
(In reply to comment #10) > (In reply to comment #9) > > what do you want amd64 to do? > > You're listed as (co)maintainer yes, but what do you want amd64 to do? p.mask all the emul versions? only some? remove some from the tree? I don't see how we can fix the bug, only bump the emul package to a version you(java team) says is stable and lacks the vuln. please advise.
(In reply to comment #11) > please advise. I'd wait for a fixed sun-jdk-1.4 and bump the emul 1.4 package based on that version. Currently it's still based on blackdown which has dead upstream so we won't see a fixed release from there. If you want to p.mask the 1.4 meanwhile, depends on you. IIRC nothing depends on it (but not 100% sure) and people who install the emul package for java in 32bit firefox-bin should be using 1.5/1.6 anyway. I don't know what other purpose it has on amd64 :)
(In reply to comment #12) > (In reply to comment #11) > > please advise. > > I'd wait for a fixed sun-jdk-1.4 and bump the emul 1.4 package based on that > version. Currently it's still based on blackdown which has dead upstream so we > won't see a fixed release from there. > > If you want to p.mask the 1.4 meanwhile, depends on you. IIRC nothing depends > on it (but not 100% sure) and people who install the emul package for java in > 32bit firefox-bin should be using 1.5/1.6 anyway. I don't know what other > purpose it has on amd64 :) > I'll wait for the security people to tell me if I should mask the 1.4 series. the only valid use for it I can see is the binary stuff(outside of portage) that for whatever reason doesn't work on >1.4.
GLSA 200706-08. Strictly speaking following the GLSA policy, there is no imperative need to mask 1.4, since the GLSA says that users should upgrade to >=1.5.0.11. But personally i would prefer masking it. Additionally, the vulnerable ebuilds will be removed from portage one day one another... As you want !
Looks like fixed sun-jdk-1.4.2.15 is here (see bug 183580) so we can finally switch the emul 1.4 slot to use that instead of dead blackdown.
Sun confirmed 1.4.2.15 fixes it: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1 I would make the ebuild but I run x86, needs someone from Java team with amd64 :)
(In reply to comment #16) > Sun confirmed 1.4.2.15 fixes it: > http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1 > > I would make the ebuild but I run x86, needs someone from Java team with amd64 > :) > It really doesn't. You just use the same ebuild as for x86 but just depend on the emul-linux-x86-* packages instead of the normal ones. Of course you are not able to test on amd64 but you can use the stuff it installs just fine on x86. I have done this many times in the past.
Caster please provide an updated ebuild.
ok, finally changed to sun jre and updated to emul-linux-x86-java-1.4.2.16 amd64 please stabilize
OK. I now have this stable on amd64...
Now the already released GLSA 200706-08 from comment 14 could be slotted as we have a fixed 1.4 slot version...
This bug does not affect 2008.0 snapshot, removing release@ from CC.
(In reply to comment #22) > Now the already released GLSA 200706-08 from comment 14 could be slotted as we > have a fixed 1.4 slot version... Done, I will not send an update GLSA, because this will be glsa'd with the other Sun bugs.
GLSA 200804-20, sorry for the long delay.
