Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 314531 - Sun JRE/JDK <1.6.0.20 java webstart code execution vulnerability (CVE-2010-{0886,0887})
Summary: Sun JRE/JDK <1.6.0.20 java webstart code execution vulnerability (CVE-2010-{0...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.reversemode.com/index.php?...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 306579
Blocks:
  Show dependency tree
 
Reported: 2010-04-10 15:24 UTC by Hanno Böck
Modified: 2010-06-04 05:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2010-04-10 15:24:46 UTC 
A flaw in java webstart has been found that can execute code on the affected machine.

Affects probably all jdk/jre-versions based on the sun java vm we have in the tree.
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-10 21:12:31 UTC 
Andrew: you aware? does it apply to icedtea's plugin?
Comment 2 Andrew John Hughes 2010-04-11 22:44:10 UTC 
Sun's Web Start implementation was never open-sourced.  So it's not part of IcedTea or OpenJDK.
Comment 3 Andrew John Hughes 2010-04-12 21:41:23 UTC 
To our knowledge, this exploit does not affect the IcedTea plugin.  The MIME type given in the exploit is not accepted by the IcedTea plugin and even if VM arguments can reach it, a whitelist of such arguments is used to filter them.
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-12 21:46:36 UTC 
Updating summary. Also it's doubtful if this affects linux even with sun-jdk.
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-15 13:51:19 UTC 
http://java.sun.com/javase/6/webnotes/6u20.html

I can't decide from the list of bugs if this is the fix for this or not. Full descriptions seem to be not public, damnit.
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-16 06:06:46 UTC 
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

they say the webstart thing doesn't affect linux, but there's also another bug in the plugin, which does

also 6u20 dlj was released: https://jdk-distros.dev.java.net/developer.html
will bump in 3-4 hours unless someone is faster
Comment 7 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-16 09:42:41 UTC 
Sorry, the previous version didn't last long...

Arches, please test and mark stable:
=dev-java/sun-jre-bin-1.6.0.20
=dev-java/sun-jdk-1.6.0.20
Target keywords : "amd64 x86"

=app-emulation/emul-linux-x86-java-1.6.0.20
Target keywords : "amd64"
Comment 8 Andreas Schürch gentoo-dev 2010-04-19 08:52:20 UTC 
It looks good to go on the x86 side.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-04-20 09:54:51 UTC 
x86 stable
Comment 10 Markus Meier gentoo-dev 2010-04-26 19:11:04 UTC 
amd64 stable, all arches done.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 04:48:01 UTC 
GLSA together with bug 306579.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 04:54:15 UTC 
CVE-2010-0886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0886):
  Unspecified vulnerability in the Java Deployment Toolkit component in
  Oracle Java SE and Java for Business JDK and JRE 6 Update 10 through
  19 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors.

CVE-2010-0887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0887):
  Unspecified vulnerability in the New Java Plug-in component in Oracle
  Java SE and Java for Business JDK and JRE 6 Update 18 and 19 allows
  remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors.
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:16:55 UTC 
GLSA 201006-18