Summary: | app-emulation/emul-linux-x86-java - multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Vic Fryzel (shellsage) (RETIRED) <shellsage> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | java |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3/2? [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Vic Fryzel (shellsage) (RETIRED)
2006-12-31 02:11:15 UTC
amd64 please advise and bump as necessary. amd64 team? And there is maybe http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 too, i don't know exactly. see bug 158659 The construct.sh script is used only during emerge, and for dev-java/sun-jre-bin{1.5,1.6} too. So if we fix it, there's no point in bump. Doesn't sandbox cover this, though? (In reply to comment #3) > The construct.sh script is used only during emerge, and for > dev-java/sun-jre-bin{1.5,1.6} too. So if we fix it, there's no point in bump. > Doesn't sandbox cover this, though? OK, sandbox covers the construct.sh insecure temporary file usage. But there is also several vulnerabilities reported in bug 158659, in particular: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 I think (IMHO) this affects the emulation Java package too. there was a stable request anyway (bug 151705), so amd64 stable. What you stabled wasn't fixed at all. I'll list it clearly: 1.5.0.08 - based on sun-jre-bin-1.5.0.08, vulnerable the same way as bug 158659 and bug 162511 - needs to be bumped to 1.5.0.10 first, then stable 1.4.2.03 - based on blackdown-jre, probably vulnerable as bug 161835 - since there's no new blackdown version, we could bump to version based on sun-jre-bin-1.4.2.13 instead of blackdown, at the cost of fetch restriction BTW, I've fixed the problem with /tmp usage by changing it to ${T}. as construct.sh is used only during emerge, no need to bump/stable/glsa for this. wltjr commited 1.5.0.10, but he's not arch team member with stable system/chroot so can amd64 stable that? (In reply to comment #7) > wltjr commited 1.5.0.10, but he's not arch team member with stable > system/chroot so can amd64 stable that? > amd64 stable nothing to do for amd64 here I vote for a GLSA, see 200701-15. i'm actually the only active member of the security team, so i can't apply the policy telling that 2 positive votes include a GLSA. Let's have one btw :) GLSA 200702-08, thx amd and java teams |