Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 85804

Summary: dev-java/sun-jdk: Java Web Start argument injection vulnerability
Product: Gentoo Security Reporter: Jan Brinkmann (RETIRED) <luckyduck>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57740-1
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---

Description Jan Brinkmann (RETIRED) gentoo-dev 2005-03-18 11:37:17 UTC
OVERVIEW
========

Java Web Start is a technology for easy client-side deployment of Java
applications. "Using Java Web Start technology, standalone Java
software applications can be deployed with a single click over the
network" (from Sun Microsystems's website).

Java Web Start is installed with Java Runtime Environment (JRE). During
installation, file type associations are added to make web browsers
automatically (with a single click) open Java Web Start's .JNLP files
(the behavior may vary between different web browsers).

There is a vulnerability in the way Web Start handles Java system
properties defined in JNLP files. A malicious user can pass command
line arguments to the Java virtual machine. They can be used to disable
the Java "sandbox" and compromise the system. The attack can be carried
out when the victim user views a web page crafted by the attacker.

[...]

VULNERABLE VERSIONS
===================

Java Web Start in J2SE 1.4.2 releases prior 1.4.2_07 are vulnerable.
J2SE 5.0 and later, and releases prior to 1.4.2 are NOT vulnerable.


[...]

The complete message can be found here:

http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032687.html


1.4.2_07 is already in the tree.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-18 11:53:50 UTC
Would the sun-jre also be affected ?
Comment 2 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-18 11:58:26 UTC
i think so, since the jre also provides javaws (the java webstart binary)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-24 13:45:51 UTC
GLSA 200503-28