Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 72221

Summary: dev-java/blackdown*: JRE prior to v1.4.2-01 vulnerable
Product: Gentoo Security Reporter: Michael Mauch <michael.mauch>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: java, polynomial-c, ppc
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2004-01.txt
Whiteboard: A2 [glsa] koon
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 72172    
Attachments:
Description Flags
blackdown-jdk-1.4.2.ebuild.diff none

Description Michael Mauch 2004-11-23 04:24:24 UTC
Straight from the announcement:

1. Problem

   A vulnerability in the Java Plug-in may allow an untrusted applet
   to escalate privileges, through JavaScript calling into Java code,
   including reading and writing files with the privileges of the user
   running the applet.

   This issue is described in the following document: CVE CAN-2004-1029
   at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029.


2. Vulnerable Versions

   All Blackdown VMs previous to J2SE v1.4.2-01.


3. Solution

   Upgrade to J2SE v1.4.2-01

--------------------------------------------------------

sun-jdk-1.4.2.06.ebuild is not vulnerable and already stable for x86.

More URLs:

<http://www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true>
<http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-11/1126.html>:

"Sun Microsystems was informed on April 29, 2004 and has fixed the
problem in J2SE 1.4.2_06"
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-23 04:30:36 UTC
java please bump to 1.4.2-01.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2004-11-23 18:30:28 UTC
Created attachment 44615 [details]
blackdown-jdk-1.4.2.ebuild.diff

Hi,

I got the new version installed with the attached changes.
I did a quick test on x86 with mozilla and jdk at this german website:
http://www.heise.de/security/dienste/browsercheck/tests/java.shtml

Poly
Comment 3 Thomas Matthijs (RETIRED) gentoo-dev 2004-11-24 12:51:39 UTC
blackdown-jdk/jre bumped too 1.4.2.01
still needs amd64 keywording
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-24 14:07:34 UTC
amd64, please test and mark stable:

target KEYWORDS:
blackdown-jre-1.4.2.01.ebuild:KEYWORDS="-* amd64 x86"
blackdown-jdk-1.4.2.01.ebuild:KEYWORDS="-* x86 amd64"
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-25 01:54:40 UTC
New severity
Comment 6 Thomas Matthijs (RETIRED) gentoo-dev 2004-11-25 05:00:28 UTC
oeps,
sparc had blackdown 1.4.1 stable too. its was the only jdk for there arch, but that it seems to be affected too(i removed it), so they no longer have a stable jdk, blackdown doesn't release them for sparc anymore
Comment 7 Thomas Matthijs (RETIRED) gentoo-dev 2004-11-25 05:27:57 UTC
bumped 1.4.1 to 1.4.1-r1 for sparc, it no longer installs the mozilla plugin.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-11-26 02:29:01 UTC
amd64, please test and mark blackdown-jdk-1.4.2.01 stable.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-11-26 13:45:22 UTC
Axxo & PPC:
Versions 1.3.x are probably vulnerable too. What solution do we have for the ppc arch (which has a 1.3 version stable). Can it be bumped to 1.4.x ? What else could we do to secure ppc ?
Comment 10 Thomas Matthijs (RETIRED) gentoo-dev 2004-11-27 04:25:35 UTC
i cannot test the plugins of 1.3* since they don't work on newer version of mozilla/firefox

all sun/blackdown >=1.4.0 in the tree now shouldn't be affected

ppc also has a stable ibm-jdk-bin
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-27 04:43:44 UTC
As Lars posted above, a test can be found at <http://www.heise.de/security/dienste/browsercheck/tests/java.shtml> (German).

In the stanza beginning with "Am 23.11.2004 wurde ein Problem bekannt" click on the link "hier", a popup should appear saying "Sie sind verwundbar" if you are still vulnerable.
Opera still seems to have problems with this, probably because of its non-standard java usage (s. bug #71818).
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-11-27 11:13:10 UTC
amd64 is ready now
ppc: please try blackdown-jdk/jre 1.4.x and see if you could mark it stable.

We've a short schedule on this one, we might need to issue a temporary GLSA with affected versions by Monday. See what you can do :)
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-11-29 01:50:47 UTC
JoseJX just said that ppc has no "Java plug-in" functionality from blackdown-jdk/jre so it's not affected by this vulnerability.

We're waiting for a confirmation on this and will send a x86/amd64 restricted GLSA  if this is verified.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-29 08:10:25 UTC
a thread on FD talks about the necessity to remove old java versions
http://www.securityfocus.com/archive/1/382281
http://www.securityfocus.com/archive/1/382413

http://java.sun.com/products/plugin/versions.html#answers :

Question: What happens when the user at some later point returns to the applet that specifies the 1.3.1 plug-in? Does the 1.4 plug-in load, ignoring the applet's HTML plug-in version parameters?

Answer: Here the answer depends on whether the 1.3.1 applet specifies clsid:8AD ... or clsid:CAF .... The clsid:CAF ... indicates that the applet requires the specific version of 1.3.1 to run; and so it will run with the 1.3.1 version if it has not been removed from the system and will prompt the user to install it if it has. However, if the clsid:8AD ... is used and both versions of the Plug-in are still installed on the system, then the 1.3.1 version will be run. If 1.3.1has been removed, the 1.4 version will be run. In this case, any version of Plug-in equal to or higher than the indicated version will be used.

Question: What happens when the user has a newer version of the plug-in installed (e.g., 1.4) but opens an applet whose HTML specifies an older version (1.3.1 or 1.2.1)? Will the user be prompted to install the older one? If so, what happens when the user returns to the newer applet?

Answer: This is similar to the question above. If the clsid:CAF ... is used, then the older version will be installed and run. However, if the clsid:8AD is used, then the newer version will run the applet.


_______

another test can be found here:
http://bcheck.scanit.be/bcheck/
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-11-29 08:23:46 UTC
Holding on the GLSA a few more hours on konq/opera vulnerability test to see if we should have a "Note:" about their vulnerable status.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-11-29 13:56:00 UTC
GLSA 200411-38