Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 352035 (CVE-2010-4351)

Summary: <dev-java/icedtea6-bin-1.9.4 JNLP security manager bypass (CVE-2010-4351)
Product: Gentoo Security Reporter: Andrew John Hughes <gnu_andrew>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=663680
Whiteboard: C2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 247140, 215614, 346799, 353418    

Description Andrew John Hughes 2011-01-18 14:57:20 UTC
http://blog.fuseyism.com/index.php/2011/01/18/security-icedtea6-177-184-194-released/

Updated ebuilds in java-overlay.

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-01-18 18:03:00 UTC
Quoting $URL:
It was discovered that the JNLPSecurityManager in certain cases failed to
properly implement the security policy, and did not throw an exception to
prevent completion of a possibly unsafe or sensitive operation and simply
returned from the checkPermission method. 

Any service relying on the SecurityManager.checkPermission() method to throw an
exception then incorrectly assumed that the permission was granted.
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-01-21 00:23:02 UTC
(In reply to comment #0)
> Updated ebuilds in java-overlay.

In tree as well, for the source dev-java/icedtea package. Now building icedtea6-bin.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-21 11:16:45 UTC
CVE-2010-4351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4351):
  The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7,
  1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from
  the checkPermission method instead of throwing an exception in
  certain circumstances, which might allow context-dependent attackers
  to bypass the intended security policy by creating instances of
  ClassLoader.

Comment 4 hhaamu 2011-01-21 13:41:45 UTC
The version bump for dev-java/icedtea caused bug 352314
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-01-21 23:35:36 UTC
Done, please stabilize dev-java/icedtea6-bin-1.9.4
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-22 09:13:27 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2011-01-22 13:26:47 UTC
amd64 ok
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-01-22 17:56:42 UTC
amd64 done. Thanks Agostino
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-01-22 21:32:27 UTC
Thanks, folks. Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 15:28:34 UTC
This issue was resolved and addressed in
 GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).