Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 291817 - <dev-java/sun-jdk-1.6.0.17 <dev-java/sun-jdk-1.5.0.22 and dev-java/sun-jre-bin and app-emulation/emul-linux-x86-java security vulnerabilities (CVE-2009-{2409,3728,3729,3865,3866,3867,3868,3869,3871,3872,3873,3874,3875,3876,3877,3879,3880,3881,3882,3884...
Summary: <dev-java/sun-jdk-1.6.0.17 <dev-java/sun-jdk-1.5.0.22 and dev-java/sun-jre-bi...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://java.sun.com/javase/6/webnotes...
Whiteboard: B2 [glsa]
Keywords:
: 291003 291005 (view as bug list)
Depends on: 287615
Blocks: java-security 292003
  Show dependency tree
 
Reported: 2009-11-04 08:48 UTC by Alex Legler (RETIRED)
Modified: 2009-11-17 23:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-04 08:48:36 UTC
Sun JDK/JRE Version 6 Update 17 fixes the following vulnerabilities:

Sun    | Description
bug #  |
-------+-----------------------------------------------------------------------
6631533 ICC_Profile allows detecting if some files exist
6815780 TrueType font parsing crash when stressing Sun Bug 6751322 test case
6822057 X11 and Win32GraphicsDevice don't clone arrays returned from 
        getConfigurations()
6862969 JPEG JFIF Decoder issue
6862970 Image Color Profile parsing issue
6872357 JRE AWT setDifflCM vulnerable to Stack Overflow
6872358 JRE AWT setBytePixels vulnerable to Heap Overflow
6664512 Component and [Default]KeyboardFocusManager pass security sensitive 
        objects to loggers
6636650 (cl) Resurrected ClassLoaders can still have children
6861062 Disable MD2 in certificate chain validation
6863503 SECURITY: MessageDigest.isEqual introduces timing attack vulnerabilities
6864911 ASN.1/DER input stream parser needs more work
6854303 Sun Java HsbParser.getSoundBank Stack Buffer Overflow Vulnerability
6657026 Numerous static security flaws in Swing (findbugs)
6657138 Mutable statics in Windows PL&F (findbugs)
6824265 (tz) TimeZone.getTimeZone allows probing local filesystem
6632445 DoS from parsing BMPs with UNC ICC links
6862968 JPEG Image Writer quantization problem
6874643 ImageI/O JPEG is vulnerable to Heap Overflow
6869694 java update malfunctioning
6869752 Deployment Toolkit plugin "launch" method vulnerable to exploits
6872824 arbitary code execution using java web start
6870531 REGRESSION:have problem to run JNLP app and applets with signed Jar 
        files
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-11-04 09:57:05 UTC
*** Bug 291003 has been marked as a duplicate of this bug. ***
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-11-04 09:57:24 UTC
*** Bug 291005 has been marked as a duplicate of this bug. ***
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-11-04 11:30:07 UTC
Please stabilize:
sun-jdk-1.5.0.22.ebuild
sun-jdk-1.6.0.17.ebuild
sun-jre-bin-1.5.0.22.ebuild
sun-jre-bin-1.6.0.17.ebuild
emul-linux-x86-java-1.5.0.22.ebuild
emul-linux-x86-java-1.6.0.17.ebuild

Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-04 22:55:49 UTC
Arches, please test and mark stable:
=dev-java/sun-jdk-1.5.0.22
=dev-java/sun-jdk-1.6.0.17
=dev-java/sun-jre-bin-1.5.0.22
=dev-java/sun-jre-bin-1.6.0.17
=app-emulation/emul-linux-x86-java-1.5.0.22
=app-emulation/emul-linux-x86-java-1.6.0.17

Target keywords : "amd64 x86"
Comment 5 Markus Meier gentoo-dev 2009-11-05 21:26:05 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2009-11-05 21:29:59 UTC
amd64 stable, all arches done.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-05 22:28:47 UTC
We've got a pending GLSA for sun-jdk, this will be added.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-09 16:18:14 UTC
CVE-2009-3865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3865):
  The launch method in the Deployment Toolkit plugin in Java Runtime
  Environment (JRE) in Sun Java SE in JDK and JRE 6 before Update 17
  allows remote attackers to execute arbitrary commands via a crafted
  web page, aka Bug Id 6869752.

CVE-2009-3866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3866):
  The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before
  Update 17 does not properly use security model permissions when
  removing installer extensions, which allows remote attackers to
  execute arbitrary code by modifying a certain JNLP file to have a URL
  field that points to an unintended trusted application, aka Bug Id
  6872824.

CVE-2009-3867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3867):
  Stack-based buffer overflow in the HsbParser.getSoundBank function in
  Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before
  Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x
  before 1.4.2_24 allows remote attackers to execute arbitrary code via
  a long file: URL in an argument, aka Bug Id 6854303.

CVE-2009-3868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3868):
  Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before
  Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x
  before 1.4.2_24 does not properly parse color profiles, which allows
  remote attackers to gain privileges via a crafted image file, aka Bug
  Id 6862970.

CVE-2009-3869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3869):
  Stack-based buffer overflow in the setDiffICM function in the
  Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in
  Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before
  Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x
  before 1.4.2_24 allows remote attackers to execute arbitrary code via
  a crafted argument, aka Bug Id 6872357.

CVE-2009-3871 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3871):
  Heap-based buffer overflow in the setBytePixels function in the
  Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in
  Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before
  Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x
  before 1.4.2_24 allows remote attackers to execute arbitrary code via
  crafted arguments, aka Bug Id 6872358.

CVE-2009-3872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3872):
  Unspecified vulnerability in the JPEG JFIF Decoder in Sun Java SE in
  JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK
  and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24
  allows remote attackers to gain privileges via a crafted image file,
  aka Bug Id 6862969.

CVE-2009-3873 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3873):
  The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update
  22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before
  1.4.2_24 allows remote attackers to gain privileges via a crafted
  image file, related to a "quantization problem," aka Bug Id 6862968.

CVE-2009-3874 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3874):
  Integer overflow in the JPEGImageReader implementation in the
  ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update
  22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before
  1.4.2_24 allows remote attackers to execute arbitrary code via large
  subsample dimensions in a JPEG file that triggers a heap-based buffer
  overflow, aka Bug Id 6874643.

CVE-2009-3875 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3875):
  The MessageDigest.isEqual function in Java Runtime Environment (JRE)
  in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6
  before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE
  1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based
  digital signatures, and possibly bypass authentication, via
  unspecified vectors related to "timing attack vulnerabilities," aka
  Bug Id 6863503.

CVE-2009-3876 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3876):
  Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before
  Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before
  1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote
  attackers to cause a denial of service (memory consumption) via
  crafted DER encoded data, which is not properly decoded by the ASN.1
  DER input stream parser, aka Bug Id 6864911.

CVE-2009-3877 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3877):
  Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before
  Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before
  1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote
  attackers to cause a denial of service (memory consumption) via
  crafted HTTP headers, which are not properly parsed by the ASN.1 DER
  input stream parser, aka Bug Id 6864911.

Comment 9 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-11-10 19:48:40 UTC
You could add blackdown-jdk/jre to the glsa. It's an relicensed old version of sun-jdk. Has also an old bug 182824
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-12 23:36:17 UTC
CVE-2009-3728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3728):
  Directory traversal vulnerability in the ICC_Profile.getInstance
  method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before
  Update 22 and 6 before Update 17, and OpenJDK, allows remote
  attackers to determine the existence of local International Color
  Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka
  Bug Id 6631533.

CVE-2009-3729 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3729):
  Unspecified vulnerability in the TrueType font parsing functionality
  in Sun Java SE 5.0 before Update 22 and 6 before Update 17 allows
  remote attackers to cause a denial of service (application crash) via
  a certain test suite, aka Bug Id 6815780.

CVE-2009-3879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3879):
  Multiple unspecified vulnerabilities in the (1) X11 and (2)
  Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22
  and 6 before Update 17, and OpenJDK, have unknown impact and attack
  vectors, related to failure to clone arrays that are returned by the
  getConfigurations function, aka Bug Id 6822057.

CVE-2009-3880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3880):
  The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE)
  in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and
  OpenJDK, does not properly restrict the objects that may be sent to
  loggers, which allows attackers to obtain sensitive information via
  vectors related to the implementation of Component,
  KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id
  6664512.

CVE-2009-3881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3881):
  Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
  does not prevent the existence of children of a resurrected
  ClassLoader, which allows remote attackers to gain privileges via
  unspecified vectors, related to an "information leak vulnerability,"
  aka Bug Id 6636650.

CVE-2009-3882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3882):
  Multiple unspecified vulnerabilities in the Swing implementation in
  Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
  have unknown impact and remote attack vectors, related to
  "information leaks in mutable variables," aka Bug Id 6657026.

CVE-2009-3884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3884):
  The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22
  and 6 before Update 17, and OpenJDK, allows remote attackers to
  determine the existence of local files via vectors related to
  handling of zoneinfo (aka tz) files, aka Bug Id 6824265.

CVE-2009-3886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3886):
  The Java Web Start implementation in Sun Java SE 6 before Update 17
  does not properly handle the interaction between a signed JAR file
  and a JNLP (1) application or (2) applet, which has unspecified
  impact and attack vectors, related to a "regression," aka Bug Id
  6870531.

Comment 11 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-11-17 18:18:45 UTC
All blockers of sun-jdk-1.4 and blackdown-jdk removal are gone. The GLSA can thus be released.
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-17 22:47:27 UTC
CVE-2009-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2409):
  The NSS library before 3.12.3, as used in Firefox; GnuTLS before
  2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products
  support MD2 with X.509 certificates, which might allow remote
  attackers to spoof certificates by using MD2 design flaws to generate
  a hash collision in less than brute-force time.  NOTE: the scope of
  this issue is currently limited because the amount of computation
  required is still large.
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-17 23:09:45 UTC
GLSA 200911-02
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-03-07 00:06:52 UTC
The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was:

<dev-java/sun-jdk-1.6.0.17 <dev-java/sun-jdk-1.5.0.22 and dev-java/sun-jre-bin and app-emulation/emul-linux-x86-java security vulnerabilities (CVE-2009-{2409,3728,3729,3865,3866,3867,3868,3869,3871,3872,3873,3874,3875,3876,3877,3879,3880,3881,3882,3884,3886})