Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 525472 (CVE-2014-6511) - <dev-java/oracle-jdk-bin-1.7.0.68 <dev-java/oracle-jdk-bin-1.8.0.21 : Unspecified vulnerability in Oracle Java SE
Summary: <dev-java/oracle-jdk-bin-1.7.0.68 <dev-java/oracle-jdk-bin-1.8.0.21 : Unspeci...
Status: RESOLVED FIXED
Alias: CVE-2014-6511
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-15 08:15 UTC by Agostino Sarubbo
Modified: 2016-03-12 12:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-15 08:15:03 UTC
From ${URL} :

An insufficient array boundary check flaw was discovered in the ICU library Layout Engine 
component, used as part of the 2D component in OpenJDK.  A specially-crafted font file could 
trigger an out of bounds read, which could lead to information disclosure or application crash.  A 
malicious Java application or applet could use this flaw to bypass certain Java sandbox 
restrictions.

External References:

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixJAVA


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel gentoo-dev 2014-12-28 21:54:50 UTC
Here's what Debian says about this bug: 

Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D.

Here's what the ICU pages say about the Layout Engine: 

http://userguide.icu-project.org/layoutengine
The ICU LayoutEngine has not had active development for some time, has many open bugs, and has now been deprecated. Users of ICU Layout are strongly encouraged to consider the HarfBuzz project as a replacement for the ICU Layout Engine. 

The source file in question, as far as I can identify it, has not been changed since 2013-04-18.

This looks to me like a bug in OpenJDK (using a deprecated library).
Comment 2 Andreas K. Hüttel gentoo-dev 2015-02-07 16:50:30 UTC
(In reply to Andreas K. Hüttel from comment #1)
> Here's what Debian says about this bug: 
> 
> Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20
> allows remote attackers to affect confidentiality via unknown vectors
> related to 2D.
> 
> Here's what the ICU pages say about the Layout Engine: 
> 
> http://userguide.icu-project.org/layoutengine
> The ICU LayoutEngine has not had active development for some time, has many
> open bugs, and has now been deprecated. Users of ICU Layout are strongly
> encouraged to consider the HarfBuzz project as a replacement for the ICU
> Layout Engine. 
> 
> The source file in question, as far as I can identify it, has not been
> changed since 2013-04-18.
> 
> This looks to me like a bug in OpenJDK (using a deprecated library).

After no reply from security for a month, changing topic and re-ccing to java team.
Comment 3 James Le Cuirot gentoo-dev 2015-04-15 21:55:17 UTC
We still have one vulnerable version in the tree, 1.7.0.60, and this is only there to support ARM. Unfortunately Oracle didn't do another Java 7 release for ARM but there is 1.8.0.33. Given that I'm bumping other arches right now to 1.8.0.45 for security fixes, 1.8.0.33 probably has other vulnerabilities besides this one. Oracle seems to have a very half-arsed relationship with ARM so we should really be looking to icedtea instead.
Comment 4 James Le Cuirot gentoo-dev 2015-09-05 15:16:19 UTC
Oracle seems to be treating ARM as a first class arch now so 1.7.0.60 has been removed. Security team, please close this out.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-12 09:50:40 UTC
Added to existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 12:40:38 UTC
This issue was resolved and addressed in
 GLSA 201603-11 at https://security.gentoo.org/glsa/201603-11
by GLSA coordinator Kristian Fiskerstrand (K_F).