Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 96092

Summary: dev-java/sun-jdk-1.4.2.07-r1 may allow untrusted applet to elevate privileges
Product: Gentoo Security Reporter: Stefan Tittel <bugreports>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 96229    
Bug Blocks:    

Description Stefan Tittel 2005-06-14 09:20:43 UTC 
A vulnerability in the Java Runtime Environment provided by dev-java/sun-jdk-1.4.2.07-r1 may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

For further details please have a look at the URL specified.

Affected are all Sun 1.4 JDKs <=1.4.2_07, so it hits dev-java/sun-jdk-1.4.2.07-r1. The actual stable-lead dev-java/sun-jdk-1.4.2.08 seems to be fine, so removing or hard masking dev-java/sun-jdk-1.4.2.07-r1 should do the trick.

Also other JDKs like dev-java/blackdown-jdk or dev-java/compaq-jdk might be affected, this should be investigated.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-14 12:41:12 UTC 
Java please advise also on other Java flavors.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 09:04:54 UTC 
1.4.2.08 is released and stable on the right platforms. I would say this is
ready for a common GLSA with bug 96229.
Comment 3 Jan Brinkmann (RETIRED) gentoo-dev 2005-06-16 10:03:33 UTC 
removed the vulnerable version
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-19 12:02:46 UTC 
GLSA 200506-14