Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 178962 - app-emulation/emul-linux-x86-java-1.5.0.10 and 1.4.2.03*: image parsing library vulnerabilities (ICC parsing, BMP parsing) (CVE-2007-2788, CVE-2007-2789)
Summary: app-emulation/emul-linux-x86-java-1.5.0.10 and 1.4.2.03*: image parsing libra...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://scary.beasts.org/security/CESA...
Whiteboard: B2? [glsa] jaervosz | [glsa] for 1.4 ...
Keywords:
Depends on:
Blocks: emul-tracker 194711 java-security
  Show dependency tree
 
Reported: 2007-05-18 06:40 UTC by Sune Kloppenborg Jeppesen
Modified: 2008-04-17 23:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-05-18 06:40:17 UTC
+++ This bug was initially created as a clone of Bug #178851 +++

Originally reported by Martin Capitanio <gentoo-bug@capitanio.org> in bug 178575.

Programs affected: JDK 1.5.0_07-b03 and others.
Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06.
Severity: Probable remote compromise of systems which use the vulnerable JDK APIs to parse images.

We already have 1.5.0.11 stabled so that's fine but we need to finally get them to release 1.6.0_01 under DLJ.
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-01 07:57:25 UTC
Should be also combined with bug 176675 (which issued glsa for jdk/jre but not the emul package and there's no extra bug for it like this one). Here vulnerable is <=1.5.0.10 and fixed is >1.5.0.11 only, 1.6 is not stable
Comment 2 Christoph Mende (RETIRED) gentoo-dev 2007-06-02 14:53:20 UTC
Hmm, this bug is only about 1.5.0.11, so why does it depend on bug 178851?
Also beandog already stabled emul-linux-x86-java-1.5.0.11 and .10 is removed, so this is actually fixed :>
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2007-06-02 14:58:53 UTC
woops, didn't want to remove amd64 from CC
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-03 06:25:46 UTC
I guess this one is ready for GLSA.
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-03 22:43:34 UTC
Yeah no need to depend on that bug and CC amd64 anymore.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 21:24:28 UTC
[GLSA] status since it's a B2, it's in the way...
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2007-06-21 21:24:28 UTC
hlieberman pointed out that the 1.4 branch is affected, too. since it's slotted we need a new package for that.

i propose that we get the GLSA for 1.5 out and release/update one for 1.4 asap afterwards
Comment 8 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-21 21:46:03 UTC
Right, I could reproduce it in 1.4 with the jpg file (bmp seems to use something unsupported so it just gives safe java backtrace).
But that's the latest version available, so we need a release first and then ebuild.

Now the real not funny part - it's crashing also ibm-jdk-bin 1.4 + 1.5 and jrockit-jdk-bin 1.4 + 1.5. We are all doomed.
Comment 9 Mike Doty (RETIRED) gentoo-dev 2007-06-21 21:53:17 UTC
what do you want amd64 to do?
Comment 10 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-21 22:05:28 UTC
(In reply to comment #9)
> what do you want amd64 to do?

You're listed as (co)maintainer
<pkgmetadata>
        <herd>amd64</herd>
        <herd>java</herd>
        <maintainer>
                <email>herbs@gentoo.org</email>
        </maintainer>
</pkgmetadata>
Comment 11 Mike Doty (RETIRED) gentoo-dev 2007-06-21 22:08:15 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > what do you want amd64 to do?
> 
> You're listed as (co)maintainer
yes, but what do you want amd64 to do? p.mask all the emul versions? only some? remove some from the tree?

I don't see how we can fix the bug, only bump the emul package to a version you(java team) says is stable and lacks the vuln.

please advise.
Comment 12 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-21 22:18:10 UTC
(In reply to comment #11)
> please advise.
 
I'd wait for a fixed sun-jdk-1.4 and bump the emul 1.4 package based on that version. Currently it's still based on blackdown which has dead upstream so we won't see a fixed release from there.

If you want to p.mask the 1.4 meanwhile, depends on you. IIRC nothing depends on it (but not 100% sure) and people who install the emul package for java in 32bit firefox-bin should be using 1.5/1.6 anyway. I don't know what other purpose it has on amd64 :)
Comment 13 Mike Doty (RETIRED) gentoo-dev 2007-06-22 00:33:00 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > please advise.
> 
> I'd wait for a fixed sun-jdk-1.4 and bump the emul 1.4 package based on that
> version. Currently it's still based on blackdown which has dead upstream so we
> won't see a fixed release from there.
> 
> If you want to p.mask the 1.4 meanwhile, depends on you. IIRC nothing depends
> on it (but not 100% sure) and people who install the emul package for java in
> 32bit firefox-bin should be using 1.5/1.6 anyway. I don't know what other
> purpose it has on amd64 :)
> 

I'll wait for the security people to tell me if I should mask the 1.4 series.  the only valid use for it I can see is the binary stuff(outside of portage) that for whatever reason doesn't work on >1.4.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-26 23:04:09 UTC
GLSA 200706-08. 

Strictly speaking following the GLSA policy, there is no imperative need to mask 1.4, since the GLSA says that users should upgrade to >=1.5.0.11. But personally i would prefer masking it. Additionally, the vulnerable ebuilds will be removed from portage one day one another...

As you want !
Comment 15 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-28 23:56:29 UTC
Looks like fixed sun-jdk-1.4.2.15 is here (see bug 183580) so we can finally switch the emul 1.4 slot to use that instead of dead blackdown.
Comment 16 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-07-01 11:15:58 UTC
Sun confirmed 1.4.2.15 fixes it: 
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1

I would make the ebuild but I run x86, needs someone from Java team with amd64 :)
Comment 17 Petteri Räty (RETIRED) gentoo-dev 2007-07-01 11:33:20 UTC
(In reply to comment #16)
> Sun confirmed 1.4.2.15 fixes it: 
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1
> 
> I would make the ebuild but I run x86, needs someone from Java team with amd64
> :)
> 

It really doesn't. You just use the same ebuild as for x86 but just depend on the emul-linux-x86-* packages instead of the normal ones. Of course you are not able to test on amd64 but you can use the stuff it installs just fine on x86. I have done this many times in the past.
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-15 07:25:20 UTC
Caster please provide an updated ebuild.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2007-08-21 06:16:49 UTC
Caster please provide an updated ebuild.
Comment 20 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-11-03 15:49:32 UTC
ok, finally changed to sun jre and updated to emul-linux-x86-java-1.4.2.16
amd64 please stabilize
Comment 21 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-06 23:43:13 UTC
OK.  I now have this stable on amd64...
Comment 22 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-11-07 06:34:05 UTC
Now the already released GLSA 200706-08 from comment 14 could be slotted as we have a fixed 1.4 slot version... 
Comment 23 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 10:39:24 UTC
This bug does not affect 2008.0 snapshot, removing release@ from CC.
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 17:37:16 UTC
(In reply to comment #22)
> Now the already released GLSA 200706-08 from comment 14 could be slotted as we
> have a fixed 1.4 slot version... 

Done, I will not send an update GLSA, because this will be glsa'd with the other Sun bugs.
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 23:43:54 UTC
GLSA 200804-20, sorry for the long delay.