As per summary, with the disclosure of OpenJDK sources we can confirm that the libpng copy on it is not patched to fix the vulnerability in summary (CVE-2006-5793), which makes its splashscreen support vulnerable to that issue.
java please advise and bump as necessary.
Cannot bump, upstream has to confirm the bug first (Diego please post upstream URL when they accept it) and hopefully fix it. How do you know it affects also 1.6? OpenJDK is 1.7. What about 1.5 or even 1.4? :)
From a reply of Phil Race on awt-dev:
> libgif and libpng are only in JDK since 1.6, and the same is
> true for splashscreen's use of openjdk so there's not too
> much history there to worry about yet.
The code of libpng released with OpenJDK is not patched, so I don't think they patched the 1.6 release either, they didn't seem to know about it to begin with.
Hm and just recently we asked for the JRE to go stable, and x86 already did it.
But if I understand correctly, it will just crash the JVM when starting some app with malicious splash screen? And no execution of code?
(In reply to comment #4)
> app with malicious splash screen? And no execution of code?
Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06.
_Reported date: October 2006._
Advisory release date: May 15th 2007.
"This, on Linux, causes the image parsing thread to hang whilst trying to read from /dev/tty."
(In reply to comment #5)
> (In reply to comment #4)
> > app with malicious splash screen? And no execution of code?
That's different issue, I've created bug 178851 for it, thanks for reporting!
The bug report was accepted by Sun, but it will take a day or two before being visible at the URL I just added to the report.
Handling 179162 on bug #179162.
sun released u1 so x86 please mark sun-jre-bin-184.108.40.206 stable
(In reply to comment #9)
> sun released u1 so x86 please mark sun-jre-bin-220.127.116.11 stable
Take that back. This issue is not fixed with u1.
Petteri, any news on this one?
(In reply to comment #11)
> Petteri, any news on this one?
It will take a while before Sun is able to react to this. Hopefully in time for u2 but I am betting u3.
The upstream bug is still not public. We should be asking Diego if he got any response...
The bug is private to me too, I had no direct response though.
"This bug is not available." -- is there any update available here? If not, we should contact the Sun people.
Any news available here? Any comments from upstream?
A year and half old bug and still no upstream fix? What's going on here?
Note that this doesn't affect icedtea6 as it fixes Sun's build system to link against the system libpng.
Seems to me sun-jdk-1.6 still uses libpng 1.2.8:
caster@macpro /opt/sun-jdk-18.104.22.168/jre/lib/amd64 $ objdump -FD libsplashscreen.so | grep -A 5 png_libpng_ver
000000000002f5f0 <png_libpng_ver> (File Offset: 0x2f5f0):
2f5f0: 31 2e xor %ebp,(%rsi)
2f5f2: 32 2e xor (%rsi),%ch
2f5f4: 38 00 cmp %al,(%rax)
(the symbol is a normal C string which I read "1.2.8")
which is a shame, as openjdk seems to use 1.2.18 and the affected versions are libpng 1.0.6 through 1.2.12 according to the CVE
1.2.8 is still used in sun-jdk-22.214.171.124 whether patched or not. oracle-jdk-bin-126.96.36.199 is using libpng 1.5.4 instead.
sun-jdk and sun-jre-bin are PMASKED
Packages are masked and all users were advised to switch to Oracle packages in GLSA 201401-30.