Summary: | <dev-java/icedtea-web-1.4.2, <dev-java/icedtea-bin-6.1.13.3-r3: insecure temporary directory use (CVE-2013-6493) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/02/07/11 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-02-16 11:37:34 UTC
Not sure if this affects 1.3.2 which is built into icedtea-bin-6, or just 1.4 series :/ I guess 1.3.2 is also affected, so it's time icedtea-bin:6 stopped bundling it, and depend on 1.4.2 which can handle multiple icedtea versions in single installation. So I made dev-java/icedtea-bin-6.1.13.3-r1 revbump that should be tested and stabilized together with dev-java/icedtea-web-1.4.2 Testing means trying javaws on some webstart file, and checking if the browser plugin works. Thanks. I get: dependency.bad 22 dev-java/icedtea-web/icedtea-web-1.4.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['dev-java/icedtea:7'] Please fix bug #502280 first. With Bug 502280, #502280 closed, please advise when you want to go to stabilization. Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so it seems we don't need to stabilize it. (In reply to Paweł Hajdan, Jr. from comment #6) > Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so > it seems we don't need to stabilize it. This was a question for dev-java/icedtea-bin to stabilize 6.1.13.3-r1 as per comment 2 above. Sorry for not asking specifics. icedtea-web does not need to be stabilized, just tested. (In reply to Yury German from comment #7) > (In reply to Paweł Hajdan, Jr. from comment #6) > > Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so > > it seems we don't need to stabilize it. > > This was a question for dev-java/icedtea-bin to stabilize 6.1.13.3-r1 as per > comment 2 above. Sorry for not asking specifics. icedtea-web does not need > to be stabilized, just tested. No, it needs to be stabilized. icedtea-bin (which is stable) bundles a vulnerable version of icedtea-web. Now it's possible to unbundle it, so that icedtea-bin PDEPENDS on icedtea-web. But for that, icedtea-web needs to be stable. (In reply to Agostino Sarubbo from comment #3) > I get: > > dependency.bad 22 > > dev-java/icedtea-web/icedtea-web-1.4.2.ebuild: DEPEND: > amd64(default/linux/amd64/13.0) ['dev-java/icedtea:7'] I have fixed this by stripping the icedtea7 USE flag from icedtea-web-1.4.2, and creating a icedtea-web-1.4.2-r1 revbump that keeps it. Also for bug 502280, dev-java/icedtea-bin-6.1.13.3-r1 had to be revbumped to dev-java/icedtea-bin-6.1.13.3-r3 (without a change, but previously the bug was fixed without revbump so people didn't get the fix). So the sum up, please stabilize the following: dev-java/icedtea-bin-6.1.13.3-r3 dev-java/icedtea-web-1.4.2 (NOT -r1) Thanks. Arches, please test and mark stable: =dev-java/icedtea-bin-6.1.13.3-r3 =dev-java/icedtea-web-1.4.2 (New Stabilization - see comment #8) Target Keywords : "amd64 x86" RepoMan scours the neighborhood...
>>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin
dependency.bad 11
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome/systemd) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/kde) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/kde/systemd) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/developer) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/no-multilib) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/no-multilib/selinux) ['dev-java/icedtea-web:0[icedtea7]']
dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/selinux) ['dev-java/icedtea-web:0[icedtea7]']
(In reply to Agostino Sarubbo from comment #10) > RepoMan scours the neighborhood... > > >>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin > dependency.bad 11 > > dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: > amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]'] I'm updating title so it says 'dev-java/icedtea-bin-6.1.13.3-r3' explicitly. I will also remove -r0 and -r1 to be sure. (In reply to Agostino Sarubbo from comment #10) > RepoMan scours the neighborhood... > > >>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin > dependency.bad 11 > > dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: > amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]'] Should be fixed, please try again. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. GLSA vote: no, GLSA Vote: No No GLSA will be issued. Maintainer(s), please drop the vulnerable version. CVE-2013-6493 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6493): The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp. Vulnerable versions have been removed a while ago. Closing as its noglsa. |