Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 194711

Summary: security bugs in <=dev-java/sun-j[dk,re]-1.6.0.02 / <=dev-java/sun-j[dk,re]-1.5.0.12 / <=dev-java/sun-j[dk,re]-1.4.2.15 (CVE-2007-{5232,5237,5238,5239,5240,5273,5274,5689})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bernd, chainsaw, java
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: ? [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 178962    
Bug Blocks: 198644, 215614    

Description Stefan Behte (RETIRED) gentoo-dev Security 2007-10-04 14:07:09 UTC 
Hi, the bug reports can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

Affected Versions:
    * JDK and JRE 6 Update 2 and earlier
    * JDK and JRE 5.0 Update 12 and earlier
    * SDK and JRE 1.4.2_15 and earlier
    * SDK and JRE 1.3.1_20 and earlier

JDK:
dev-java/sun-jdk-1.5.0.13 is in portage, but it's keyworded, we should stabilize it ASAP and mask 1.5.0.12. The same applies to 1.6.0.02/1.6.0.03.

1.4.2.16 is not in portage yet, should be added and then 1.4.2.15 should be masked, too.

JRE:
For dev-java/sun-jre there are only vulnerable versions in portage. We need the new ones and then the old ones should be masked.
Comment 1 Petteri Räty (RETIRED) gentoo-dev 2007-10-04 14:27:06 UTC 
amd64:
sun-jdk-1.5.0.13
sun-jdk-1.6.0.03
sun-jre-bin-1.5.0.13
sun-jre-bin-1.6.0.03
emul-linux-x86-java-1.5.0.13
emul-linux-x86-java-1.6.0.03
x86:
sun-jdk-1.4.2.16
sun-jdk-1.5.0.13
sun-jdk-1.6.0.03
sun-jre-bin-1.4.2.16
sun-jre-bin-1.5.0.13
sun-jre-bin-1.6.0.03
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-04 18:47:03 UTC 
x86 stable
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2007-10-04 23:11:42 UTC 
Don't miss app-emulation/emul-linux-x86-java in the GLSA. Also the three month old bug 185256 didn't got a GLSA yet...
Comment 4 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-10-12 00:35:05 UTC 
amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps
Comment 5 Chí-Thanh Christopher Nguyễn gentoo-dev 2007-10-19 14:42:59 UTC 
(In reply to comment #4)
> amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps

maybe you could also mark virtual/jdk-1.6.0 stable while you are at it?
Comment 6 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-10-19 14:56:54 UTC 
virtual/jdk-1.6.0 stable on amd64, thanks for mentioning repoman didn't catch it, and I forgot about it :)
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-10-24 01:12:11 UTC 
New vulnerability that should be mentioned in a GLSA.

A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

..
This issue is addressed in the following releases (for Windows, Solaris, and Linux):

    * JDK and JRE 6 Update 3 or later
    * JDK and JRE 5.0 Update 13 or later
    * SDK and JRE 1.4.2_16 or later

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-10-24 01:12:33 UTC 
amd64, is there anything left to do for you?
Comment 9 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-11-03 15:59:37 UTC 
amd64 was done long ago.
Just the emul-linux-x86-java-1.4 stabling in bug 178962 and a GLSA on this could superseed and finally close all those open bugs on sun and emul stuff pending just glsa.
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-06 23:44:12 UTC 
OK.  I now have everything done for amd64...
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 10:42:44 UTC 
This bug does not affect 2008.0 snapshot, removing release@ from CC.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 16:55:16 UTC 
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 23:44:43 UTC 
GLSA 200804-20, sorry for the long delay.