355729 – dev-java/ibm-jdk-bin: 1.6.0.9 SR9 package checksum failure due to fix included by CVE-2010-4476.

Bug 355729 - dev-java/ibm-jdk-bin: 1.6.0.9 SR9 package checksum failure due to fix included by CVE-2010-4476.

Summary: dev-java/ibm-jdk-bin: 1.6.0.9 SR9 package checksum failure due to fix include...

Status:	RESOLVED DUPLICATE of bug 360431

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://www.ibm.com/developerworks/jav...
Whiteboard:	B3 [ebuild]
Keywords:

Duplicates (1):	359535 (view as bug list)
Depends on:
Blocks:

Reported:	2011-02-20 18:28 UTC by Marc-Andre Landry
Modified:	2011-03-25 16:30 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc-Andre Landry 2011-02-20 18:28:31 UTC

The SR9 package already include a new fix causing a checksum failure on the package. It may need a revision bump.

Follow URL for security report.

Reproducible: Always

Steps to Reproduce:
1. Download SR9 packages using links2
2. emerge dev-java/ibm-jdk-bin

Actual Results:  
File renamed to ..../ibm-jdk-6.0.9.0-linux-ppc.tgz._checksum_failure_.velDzY


Expected Results:  
dev-java/ibm-jdk-bin was installed.

Not output a fetch restriction warning messages but a clear Checksum Failure would have been nice but that is another question.

Comment 1 Marc-Andre Landry 2011-02-20 18:54:21 UTC

I found a temporary disgraceful workaround.

Assuming IBM do package always the same way.

#> cd /usr/portage/dev-java/ibm-jdk-bin
#> ebuilt --force ibm-jdk-bin-1.6.0.9.ebuild manifest

--- ignore the missing file error as it did update the manifest even if it says not ---

#> emerge dev-java/ibm-jdk-bin

--- Enjoy IBM JDK 6.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-02-21 04:06:01 UTC

@java, it looks like IBM has updated the package for 1.6.0.9 to include this fix. While this makes sure users get the fix, it is reportedly causing installs to fail.

Comment 3 Otto A. Schell 2011-02-28 03:38:54 UTC

(In reply to comment #1)
> I found a temporary disgraceful workaround.
> 
> Assuming IBM do package always the same way.
> 
> #> cd /usr/portage/dev-java/ibm-jdk-bin
> #> ebuilt --force ibm-jdk-bin-1.6.0.9.ebuild manifest
> 
> --- ignore the missing file error as it did update the manifest even if it says
> not ---
> 
> #> emerge dev-java/ibm-jdk-bin
> 
> --- Enjoy IBM JDK 6.
>

Hmm - I made ist with 
~/ # ebuild --skip-manifest ibm-jdk-bin-1.6.0.9.ebuild compile

~/ #  ebuild --skip-manifest ibm-jdk-bin-1.6.0.9.ebuild merge

and

~ # java-config -L
The following VMs are available for generation-2:
*)	IBM JDK 1.6.0.9 [ibm-jdk-bin-1.6]

mfg oas

Comment 4 Robin Johnson archtester

2011-03-16 08:43:02 UTC

java:
please confirm that new file ibm-java-sdk-6.0-9.0-linux-x86_64.tgz with size 95612051 and the following checksums is correct
96770ba9e5cfa9ea9802ff103fcf7502  ibm-java-sdk-6.0-9.0-linux-x86_64.tgz
4e74e57178b8532e856dcdd79698124e95c4b451  ibm-java-sdk-6.0-9.0-linux-x86_64.tgz

If it is correct, please update the Manifest.

Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2011-03-25 15:10:56 UTC

(In reply to comment #4)
> java:
> please confirm that new file ibm-java-sdk-6.0-9.0-linux-x86_64.tgz with size
> 95612051 and the following checksums is correct
> 96770ba9e5cfa9ea9802ff103fcf7502  ibm-java-sdk-6.0-9.0-linux-x86_64.tgz
> 4e74e57178b8532e856dcdd79698124e95c4b451  ibm-java-sdk-6.0-9.0-linux-x86_64.tgz
> 
> If it is correct, please update the Manifest.

No, such changes require bump. And there's 6.0.9.1 already anyway, tracked in bug 360431.

*** This bug has been marked as a duplicate of bug 360431 ***

Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2011-03-25 16:30:38 UTC

*** Bug 359535 has been marked as a duplicate of this bug. ***