Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 353418 (CVE-2011-0025)

Summary: <dev-java/icedtea6-bin-1.9.5, <dev-java/icedtea-6.1.9.5: multiple vulnerabilities (CVE-2011-0025)
Product: Gentoo Security Reporter: Andrew John Hughes <gnu_andrew>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 352035    
Bug Blocks: 247140, 215614, 354231    

Description Andrew John Hughes 2011-02-01 17:32:43 UTC
http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/

Updated ebuilds available in java-overlay.

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-02-02 14:34:06 UTC
Thanks for the new ebuilds, caster. Is it ok if we stabilize =dev-java/icedtea6-bin-1.9.5?
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-02-02 14:57:41 UTC
(In reply to comment #1)
> Thanks for the new ebuilds, caster. Is it ok if we stabilize
> =dev-java/icedtea6-bin-1.9.5?
 
Yes please, I was going to ask for it :)
Comment 3 blain 'Doc' Anderson 2011-02-03 22:21:23 UTC
amd64 stable


emerge --info
Portage 2.1.9.25 (default/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-gentoo-r5 x86_64)
=================================================================
System uname: Linux-2.6.36-gentoo-r5-x86_64-AMD_Phenom-tm-_9650_Quad-Core_Processor-with-gentoo-1.12.14
Timestamp of tree: Wed, 02 Feb 2011 13:30:22 +0000
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.6.6-r1, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms split-log strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="rsync://mirrors.rit.edu/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl amd64 berkdb bzip2 cairo cli cracklib crypt cups cxx dbus device-mapper dri extras fortran gdbm gdu gpm gt3support gtk iconv ipv6 kde mmx mng modules mudflap multilib mysql ncurses nls nptl nptlonly opengl openmp pam pcre perl png policykit pppd python qt3support qt4 readline session sql sqlite sse sse2 ssl svg sysfs tcpd threads unicode webkit xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia vesa fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 4 Agostino Sarubbo gentoo-dev 2011-02-04 16:56:07 UTC
(In reply to comment #3)
> amd64 stable

+1
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2011-02-04 23:21:25 UTC
x86 stable
Comment 6 Alex Buell 2011-02-06 22:25:06 UTC
I can confirm that icedtea 6.1.9.5 bootstrapped just fine via gcj-jdk et. al. on SPARC :)
Comment 7 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-02-10 00:28:32 UTC
Stabilization superseeded by bug 354231
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-02-12 18:54:02 UTC
Stabilization completed in 354231. Rating this B4, which requires a vote.

GLSA Vote: no.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:23:51 UTC
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6541476  "PNG imageio plugin incorrectly handles iTXt chunk" might be worth a glsa? 
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:33:58 UTC
CVE-2011-0025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0025):
  IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not
  properly verify signatures for JAR files that (1) are "partially signed" or
  (2) signed by multiple entities, which allows remote attackers to trick
  users into executing code that appears to come from a trusted source.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:39:53 UTC
Vote: YES. Added to pending GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 15:28:43 UTC
This issue was resolved and addressed in
 GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).