Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 158659 - dev-java/sun-{jdk,jre-bin} - multiple vulnerabilities (CVE-2006-6731,6736,6737,6745)
Summary: dev-java/sun-{jdk,jre-bin} - multiple vulnerabilities (CVE-2006-6731,6736,673...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-20 08:59 UTC by Carsten Lohrke (RETIRED)
Modified: 2007-02-10 19:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-12-20 08:59:13 UTC
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102731-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1


Fixed with 1.4.2.13/1.5.0.09. There's already an new update available, though. Who knows what Sun announces later...
Comment 1 Petteri Räty (RETIRED) gentoo-dev 2006-12-20 10:24:16 UTC
Let's get the following things stable then:
=sun-{jdk,jre-bin}-1.5.09*
=sun-[jdk,jre-bin}-1.4.13*
Comment 2 Markus Meier gentoo-dev 2006-12-20 12:36:56 UTC
I tested the following packages:
dev-java/sun-jdk-1.4.2.13
dev-java/sun-jdk-1.5.0.09
dev-java/sun-jre-bin-1.4.2.13
dev-java/sun-jre-bin-1.5.0.09

all emerge on x86, pass collision test and work.

Please note:
A Notice: pre-stripped files found:
/var/tmp/portage/sun-jdk-1.4.2.13/image/opt/sun-jdk-1.4.2.13/bin/java
/var/tmp/portage/sun-jdk-1.4.2.13/image/opt/sun-jdk-1.4.2.13/bin/javac
....

QA Notice: pre-stripped files found:
/var/tmp/portage/sun-jre-bin-1.4.2.13/image/opt/sun-jre-bin-1.4.2.13/bin/java
/var/tmp/portage/sun-jre-bin-1.4.2.13/image/opt/sun-jre-bin-1.4.2.13/bin/keytool
...


Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.4 i686)
=================================================================
System uname: 2.6.18.4 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 20 Dec 2006 18:30:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 3 Petteri Räty (RETIRED) gentoo-dev 2006-12-20 13:09:52 UTC
(In reply to comment #2)
>
> Please note:
> A Notice: pre-stripped files found:

Nothing we can do as Sun only has binary releases for these versions. GPL comes hopefully with 1.7.
Comment 4 Andrej Kacian (RETIRED) gentoo-dev 2006-12-23 09:52:19 UTC
x86 done
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-23 10:05:21 UTC
Merry Christmas :)
Comment 6 Malcolm Lashley (RETIRED) gentoo-dev 2007-01-09 23:52:33 UTC
amd64 done. 

GLSA?
Comment 7 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-01-10 00:30:24 UTC
Removed the vulnerable versions, and removed amd64 keyword (added by mistake) from 1.4.2.13.

We forgot about app-emulation/emul-linux-x86-java... 1.5.0.08 is in fact sun-jdk, but if I read the links correctly, the fixed versions are in fact >=1.5.0.08, not 1.5.0.09?

What's worse - blackdown-jdk-1.4.2.03 is IIRC just relicensed sun-jdk so it's probably also vulnerable. But we can't kill the only 1.4 JDK for amd64 yet... emul-linux-x86-java-1.4* is also blackdown-jdk, although it could probably be changed to sun.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:39:19 UTC
(In reply to comment #6)
> amd64 done. 
> 
> GLSA?
> 

according to http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 it's a A2 -> GLSA. Thanks Malcolm
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:43:32 UTC
> We forgot about app-emulation/emul-linux-x86-java... 1.5.0.08 is in fact
> sun-jdk, but if I read the links correctly, the fixed versions are in fact
> >=1.5.0.08, not 1.5.0.09?

thanks, this will be handled on bug 159547

> What's worse - blackdown-jdk-1.4.2.03 is IIRC just relicensed sun-jdk so it's
> probably also vulnerable. But we can't kill the only 1.4 JDK for amd64 yet...
> emul-linux-x86-java-1.4* is also blackdown-jdk, although it could probably be
> changed to sun.

right, bug 161835
Comment 10 Thomas Tuttle 2007-01-19 20:08:31 UTC
dev-java/sun-jdk-1.5.0.10 and dev-java/sun-jre-bin-1.5.0.10 build, pass collision test, and work on amd64.

emerge --info:

Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19-gentoo-r4 x86_64)
=================================================================
System uname: 2.6.19-gentoo-r4 x86_64 Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz
Gentoo Base System version 1.12.8
Last Sync: Fri, 19 Jan 2007 15:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /lib/modules /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict prelink sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo"
LINGUAS="en en_US"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi aiglx alsa alsa_cards_hda-intel alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol arts berkdb bitmap-fonts cairo cdda cddb cdinstall cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd exif fam firefox flac fortran gdbm gif gnome gpm gstreamer gtk gtk2 hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics ipv6 isdnlog jack java5 jce jikes jpeg kde kernel_linux lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_text ldap libg++ linguas_en linguas_en_US lirc lirc_devices_streamzap mad mikmod mozbranding mp3 mpeg ncurses nls nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl srvdir ssl symlink tcpd theora truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_i810 video_cards_i945 video_cards_vesa vorbis x264 xml xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-23 00:22:41 UTC
GLSA 200601-15, thanks everybody.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 19:15:08 UTC
(In reply to comment #11)
> GLSA 200601-15, thanks everybody.
> 

200701-15 of course