Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576428

Summary: dev-java/icedtea-bin-3.0.0_* is detected as vulnerable by glsa-check -t
Product: Gentoo Security Reporter: Sylvain CANOINE <canouble>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: creideiki+gentoo-bugzilla, java
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Sylvain CANOINE 2016-03-04 11:14:42 UTC
After installing dev-java/icedtea-bin-3.0.0_pre09-r1 on a hardened amd64 Gentoo linux box :

# glsa-check -t all
This system is affected by the following GLSAs:
201406-32

# glsa-check --print 201406-32
            GLSA 201406-32:
IcedTea JDK: Multiple vulnerabilities
============================================================================
Synopsis:          Multiple vulnerabilities have been found in the IcedTea
                    JDK, the worst of which could lead to arbitrary code
                    execution.
Announced on:      June 29, 2014
Last revised on:   June 29, 2014 : 01

Affected package:  dev-java/icedtea-bin
Affected archs:    All
Vulnerable:        <6.1.13.3
Unaffected:        >=6.1.13.3

Related bugs:      312297, 330205, 340819, 346799, 352035, 353418, 354231, 355127, 370787, 387637, 404095, 421031, 429522, 433389, 438750, 442478, 457206, 458410, 461714, 466822, 477210, 489570, 508270

Background:        IcedTea is a distribution of the Java OpenJDK source code
                   built with free build tools.

Description:       Multiple vulnerabilities have been discovered in the
                   IcedTea JDK. Please review the CVE identifiers referenced
                   below for details.

Impact:            A remote attacker could possibly execute arbitrary code
                   with the privileges of the process, cause a Denial of
                   Service condition, obtain sensitive information, bypass
                   intended security policies, or have other unspecified
                   impact.

Workaround:        There is no known workaround at this time.

Resolution:        All IcedTea JDK users should upgrade to the latest
                   version:
                   # emerge --sync
                   # emerge --ask --oneshot --verbose
                   ">=dev-java/icedtea-bin-6.1.13.3"

References: (...)

Reproducible: Always

Steps to Reproduce:
1. Emerge dev-java/icedtea-bin-3.0.0_pre09-r1
2. Run glsa-check -t all
3.
Actual Results:  
# glsa-check -t all
This system is affected by the following GLSAs:
201406-32

Expected Results:  
# glsa-check -t all
This system is not affected by any of the listed GLSAs
Comment 1 James Le Cuirot gentoo-dev 2016-03-15 10:34:47 UTC
I've just been alerted to this and it now also affects GLSA 201603-14. icedtea-3 is actually the latest version (for Java 8) because we've switched to match upstream's versioning scheme instead of our own weird one. Apart from this issue, it hasn't been a problem because we always depend on JVMs using SLOTs. Since I'm currently trying to push icedtea-3 as the new big thing right now, I'd really like this fixed! I don't like touching GLSAs myself though so please take a look.
Comment 2 James Le Cuirot gentoo-dev 2016-03-15 11:09:49 UTC
After discussing this with b-man and trying it locally, it looks like adding this is the way to go.

<unaffected range="lt">6</unaffected>

We don't have icedtea-3 in the tree yet, only icedtea-bin-3, but it will be coming so don't forget to add it for both.
Comment 3 Karl-Johan Karlsson 2016-04-17 09:58:33 UTC
dev-java/icedtea-3.0.0 is now in the tree and is also affected by this bug.
Comment 4 James Le Cuirot gentoo-dev 2016-04-17 10:02:42 UTC
I pinged b-man about it a while ago and he said he wasn't allowed to modify the GLSA files yet. Obviously I'm not allowed either but I don't care, security team, if you don't make the changes this coming week, I will do it myself.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2016-04-19 22:37:46 UTC
commit b47115cd45a31ae205124ceb2e64da40905eeadd
Author: Tobias Heinlein <keytoaster@gentoo.org>
Date:   Tue Apr 19 23:37:16 2016 +0200

    IcedTea GLSAs: Add unaffected < 6 due to new versioning scheme (bug 576428).
Comment 6 Sylvain CANOINE 2016-08-04 06:47:16 UTC
The problem reappeared with 201606-18 and dev-java/icedtea-bin-3.1.0 :

# glsa-check -vt all
This system is affected by the following GLSAs:
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201606-18 [N] [remote  ] IcedTea: Multiple vulnerabilities ( dev-java/icedtea-bin-3.1.0 )
#
Comment 7 James Le Cuirot gentoo-dev 2016-08-05 20:15:07 UTC
(In reply to Sylvain CANOINE from comment #6)
> The problem reappeared with 201606-18 and dev-java/icedtea-bin-3.1.0 :

Reopening. Guys, let's keep on top of this, please! 201606-18 also mentions just icedtea-bin, not icedtea, which is equally affected.
Comment 8 Sergey Popov (RETIRED) gentoo-dev 2016-08-25 08:51:52 UTC
Issue with GLSA-201606-18 is fixed in bug #591346