Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 159547 - app-emulation/emul-linux-x86-java - multiple vulnerabilities
Summary: app-emulation/emul-linux-x86-java - multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3/2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-31 02:11 UTC by Vic Fryzel (shellsage) (RETIRED)
Modified: 2007-02-18 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2006-12-31 02:11:15 UTC
The file construct.sh distributed with app-emulation/emul-linux-x86-java insecurely writes to files in /tmp numerous times without first checking if the files are symlinks.  This could potentially allow for the overwriting of arbitrary files on the filesystem upon installation of app-emulation/emul-linux-x86-java.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-01-06 12:35:05 UTC
amd64 please advise and bump as necessary.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:44:07 UTC
amd64 team?

And there is maybe http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 too, i don't know exactly. see bug 158659
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-01-13 01:28:57 UTC
The construct.sh script is used only during emerge, and for dev-java/sun-jre-bin{1.5,1.6} too. So if we fix it, there's no point in bump. Doesn't sandbox cover this, though?
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-14 20:16:25 UTC
(In reply to comment #3)
> The construct.sh script is used only during emerge, and for
> dev-java/sun-jre-bin{1.5,1.6} too. So if we fix it, there's no point in bump.
> Doesn't sandbox cover this, though?

OK, sandbox covers the construct.sh insecure temporary file usage. But there is also several vulnerabilities reported in bug 158659, in particular:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1

I think (IMHO) this affects the emulation Java package too.
Comment 5 Steve Dibb (RETIRED) gentoo-dev 2007-01-23 10:52:38 UTC
there was a stable request anyway (bug 151705), so amd64 stable.
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-01-23 11:52:43 UTC
What you stabled wasn't fixed at all. I'll list it clearly:

1.5.0.08 - based on sun-jre-bin-1.5.0.08, vulnerable the same way as bug 158659 and bug 162511 - needs to be bumped to 1.5.0.10 first, then stable

1.4.2.03 - based on blackdown-jre, probably vulnerable as bug 161835 - since there's no new blackdown version, we could bump to version based on sun-jre-bin-1.4.2.13 instead of blackdown, at the cost of fetch restriction

BTW, I've fixed the problem with /tmp usage by changing it to ${T}. as construct.sh is used only during emerge, no need to bump/stable/glsa for this.
Comment 7 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-01-26 15:38:22 UTC
wltjr commited 1.5.0.10, but he's not arch team member with stable system/chroot so can amd64 stable that?
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2007-02-03 05:18:27 UTC
(In reply to comment #7)
> wltjr commited 1.5.0.10, but he's not arch team member with stable
> system/chroot so can amd64 stable that?
> 

amd64 stable
Comment 9 Simon Stelling (RETIRED) gentoo-dev 2007-02-10 12:39:48 UTC
nothing to do for amd64 here
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 19:15:20 UTC
I vote for a GLSA, see 200701-15.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 22:34:45 UTC
i'm actually the only active member of the security team, so i can't apply the policy telling that 2 positive votes include a GLSA. 

Let's have one btw :)
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-18 00:27:36 UTC
GLSA 200702-08, thx amd and java teams