Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 178851 - dev-java/{sun-jdk|sun-jre-bin} 1.6.0* image parsing library vulnerabilities (ICC parsing, BMP parsing) (CVE-2007-2788, CVE-2007-2789)
Summary: dev-java/{sun-jdk|sun-jre-bin} 1.6.0* image parsing library vulnerabilities (...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://scary.beasts.org/security/CESA...
Whiteboard: B2? [glsa+] jaervosz
Keywords:
: 179155 (view as bug list)
Depends on: 172854
Blocks: 177842 java-security
  Show dependency tree
 
Reported: 2007-05-17 09:42 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2008-04-17 23:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-05-17 09:42:13 UTC
Originally reported by Martin Capitanio <gentoo-bug@capitanio.org> in bug 178575.

Programs affected: JDK 1.5.0_07-b03 and others.
Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06.
Severity: Probable remote compromise of systems which use the vulnerable JDK APIs to parse images.

We already have 1.5.0.11 stabled so that's fine but we need to finally get them to release 1.6.0_01 under DLJ.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-18 06:41:23 UTC
Handling app-emulation/emul-linux-x86-java on bug 178962.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-19 22:29:10 UTC
*** Bug 179155 has been marked as a duplicate of this bug. ***
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-05-20 20:30:13 UTC
To sum it up, for 1.6 this is probably [upstream] because they didn't release fixed version under the friendly license yet.
For 1.5 you could glsa it together with 176675 (if that's possible per your policies?) because the fixed version is the same - 1.5.0.11. But this bug isn't applicable for 1.4 which is also handled by 176675 so dunno.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-21 03:52:06 UTC
Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not stable we (security) don't mind.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-01 07:14:45 UTC
200705-23 combined with bug 176675
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-01 07:41:48 UTC
(In reply to comment #4)
> Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> stable we (security) don't mind.

But x86 already stabilized 1.6.0 jre
Comment 7 Petteri Räty (RETIRED) gentoo-dev 2007-06-02 16:33:41 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> > stable we (security) don't mind.
> 
> But x86 already stabilized 1.6.0 jre
> 

u1 is out. x86 please mark stable
Comment 8 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-03 22:44:45 UTC
> u1 is out. x86 please mark stable

Precisely, dev-java/sun-jre-bin-1.6.0.01-r1 

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-06-04 07:48:54 UTC
x86 stable
Comment 10 Petteri Räty (RETIRED) gentoo-dev 2007-06-04 21:12:18 UTC
(In reply to comment #9)
> x86 stable
> 

Or not.
  04 Jun 2007; Christian Faulhammer <opfer@gentoo.org> ChangeLog:
  stable x86, security bug 178851
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2007-06-05 05:11:46 UTC
I stabled the wrong version, sorry for that.  x86 done again
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-10 18:16:59 UTC
it was 200705-23 combined with bug 176675
Comment 13 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-10 18:31:49 UTC
(In reply to comment #12)
> it was 200705-23 combined with bug 176675

But that wasn't dealing with 1.6 JDK, because we didn't have fixed version available that time.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-11 06:41:11 UTC
Caster are we still waiting for upstream on 1.6?

We'll close this one once we have an unstable ebuild for 1.6.
Comment 15 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-11 08:59:56 UTC
(In reply to comment #14)
> Caster are we still waiting for upstream on 1.6?

No.

> We'll close this one once we have an unstable ebuild for 1.6.

You might want to do glsa because vulnerable version was stable on x86 (and now the fixed one is stable, see comment 11)

Vulnerable that was stable: dev-java/sun-jre-bin-1.6.0-r1
Fixed that is stable: dev-java/sun-jre-bin-1.6.0.01-r1


Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-16 06:56:01 UTC
Security please comment on GLSA need.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-20 08:25:39 UTC
we released glsa 200705-23 for a similar issue, so I guess we should have another one for this.
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-01 02:17:52 UTC
Security please vote.
Comment 19 Matt Drew (RETIRED) gentoo-dev 2007-07-02 21:25:01 UTC
I vote yes, we glsa'd the JPEG/BMP one, this is basically the same thing.
Comment 20 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-07-02 21:32:24 UTC
You can do the GLSA together with bug 183580 which is same package different slot (maybe I didn't have to open extra bug for it anyways...)
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-15 07:24:02 UTC
Voting YES.
Comment 22 Matthias Geerdsen (RETIRED) gentoo-dev 2007-09-11 11:21:35 UTC
changing product/component

please file security bugs in the Gentoo Security product
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 19:05:43 UTC
I would close this bug without a GLSA because the GLSA has been updated more than half a year ago:

----------------------------
revision 1.2
date: 2007-06-05 16:24:43 +0200;  author: falco;  state: Exp;  lines: +4 -3;  commitid: 72f7466571f24567;
add the 1.6.x branch of sun-jre-bin since it had been stabilized on x86 just a few days before the glsa was sent.
----------------------------

--- glsa-200705-23.xml  31 May 2007 18:12:05 -0000      1.1
+++ glsa-200705-23.xml  5 Jun 2007 14:24:43 -0000       1.2
@@ -11,7 +11,7 @@
   </synopsis>
   <product type="ebuild">sun-jdk,sun-jre-bin</product>
   <announced>May 31, 2007</announced>
-  <revised>May 31, 2007: 01</revised>
+  <revised>June 05, 2007: 02</revised>
   <bug>176675</bug>
   <bug>178851</bug>
   <access>remote</access>
@@ -22,9 +22,10 @@
       <vulnerable range="lt">1.5.0.11</vulnerable>
     </package>
     <package name="dev-java/sun-jre-bin" auto="yes" arch="*">
-      <unaffected range="ge">1.5.0.11</unaffected>
+      <unaffected range="rge">1.5.0.11</unaffected>
       <unaffected range="rge">1.4.2.14</unaffected>
-      <vulnerable range="lt">1.5.0.11</vulnerable>
+      <unaffected range="ge">1.6.0.01</unaffected>
+      <vulnerable range="lt">1.6.0.01</vulnerable>
     </package>
   </affected>
   <background>
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 19:09:34 UTC
Oh wait, that did not deal with the JDK. Assuming that was affected, it needs to get GLSA'd.
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 23:43:35 UTC
GLSA 200804-20, sorry for the long delay.