Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537940 (CVE-2014-6585) - <dev-java/icedtea{,-bin}-{6.1.13.7,7.2.5.5}: Multiple vulnerabilities (CVE-2014-{6585,6587,6591,6593,6601},CVE-2015-{0383,0395,0400,0407,0408,0412,5078})
Summary: <dev-java/icedtea{,-bin}-{6.1.13.7,7.2.5.5}: Multiple vulnerabilities (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2014-6585
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://blog.fuseyism.com/index.php/20...
Whiteboard: B3 [glsa cve]
Keywords:
: 546702 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-01-27 09:34 UTC by Markus Hauschild
Modified: 2016-03-12 23:41 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Hauschild 2015-01-27 09:34:25 UTC
icedtea 2.5.4 has been released including several security bugfixes

Reproducible: Always
Comment 1 Sergey Popov gentoo-dev 2015-02-01 11:14:00 UTC
This is clearly security issue

Not very familiar with Icedtea release cycle, so i can not say which of those CVE affects 1.6 branch of our icedtea packages
Comment 2 Agostino Sarubbo gentoo-dev 2015-02-02 12:00:34 UTC
(In reply to Sergey Popov from comment #1)
> This is clearly security issue
> 
> Not very familiar with Icedtea release cycle, so i can not say which of
> those CVE affects 1.6 branch of our icedtea packages

yes, http://blog.fuseyism.com/index.php/2015/01/26/security-icedtea-1-13-6-for-openjdk-6-released/
Comment 3 Andrew John Hughes 2015-02-02 22:21:07 UTC
Updated ebuilds have been in java overlay since 23/01 (2.5.4) and 26/01 (1.13.6).
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-02-22 20:42:56 UTC
@maintainers: Any movement on this?
Comment 5 James Le Cuirot gentoo-dev 2015-05-10 22:45:54 UTC
Right, no doubt you all saw the massive bug-close-fest that just went on. I know I wasn't supposed to close those but the situation was getting both ridiculous and confusing. Sorry if this messes things up with the GLSAs but it was a bit late to send them now. I've just spoken to keytoaster and he said it's cool.

So there's still a few left and it would be great to be able to close those too. Both icedtea and icedtea-bin have now been updated to the latest versions and these should be free of any vulnerabilities reported to date.

The older icedtea-bin versions have been kept as they are currently stable. They can go as soon as the latest ones are marked stable.

icedtea is trickier as keywording is required for arm, ia64, ppc, and ppc64. I can deal with ppc and ppc64. I might be able to deal with arm but maybe not for a while. Someone else will need to address ia64.
Comment 6 James Le Cuirot gentoo-dev 2015-06-11 22:26:54 UTC
Time for an update.

- The latest icedtea 6 and 7 has been keyworded for ~ppc.
- The latest icedtea 7 has been keyworded for ~arm.
- icedtea-bin builds have been added for ~ppc and ~arm.
- We are dropping ia64 entirely but I lack time to do the mass unkeywording now.
- ppc64 is proving problematic. I'll come back to that.

Because of the last 2 points, I can't drop the vulnerable icedtea versions yet. However I can drop the vulnerable icedtea-bin versions if we stabilise for amd64 and x86. I would also like it stabilised for ppc so that ibm-(jdk|jre)-bin can eventually be dropped. No action is necessary for arm at the moment as it has never had a stable VM.

Arch teams, please do your thing.
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-13 10:35:17 UTC
Please clearly state which packages should go stable on which arches.
Comment 8 James Le Cuirot gentoo-dev 2015-06-13 11:24:08 UTC
(In reply to Agostino Sarubbo from comment #7)
> Please clearly state which packages should go stable on which arches.

Sorry, here you go.

dev-java/icedtea-bin 6.1.13.7, 7.2.5.5: amd64 ppc x86
dev-java/icedtea-sound 1.0.1: amd64 ppc x86
dev-java/icedtea-web 1.5.1-r1: ppc
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-13 11:43:33 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-13 11:44:00 UTC
amd64 stable
Comment 11 James Le Cuirot gentoo-dev 2015-06-13 14:54:39 UTC
If you want to test icedtea-web on a remote machine properly (thinking PPC here) then I was able to fire up sshd in a chroot on a non-standard port, use some port forwarding trickery to log in with X11 forwarding enabled and run itweb-settings as well as javaws. The latter allows you to run an applet without needing a whole browser.
Comment 12 Andrew John Hughes 2015-06-22 23:48:00 UTC
*** Bug 546702 has been marked as a duplicate of this bug. ***
Comment 13 Agostino Sarubbo gentoo-dev 2015-06-24 10:55:55 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 James Le Cuirot gentoo-dev 2015-06-24 11:04:15 UTC
Another update on the non-bin situation. icedtea-7 hasn't been fixed on ppc64 yet but the pre-release for icedtea-3 (Java 8) is looking promising. I've also cleared almost all of the items blocking me from dropping ia64.
Comment 15 James Le Cuirot gentoo-dev 2015-06-28 23:00:47 UTC
The vulnerable -bin versions have now been removed. For non-bin, I still need to drop ia64 but gnu_andrew is going to look into the ppc64 issue next week.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2015-06-29 21:04:56 UTC
Thank you for the update.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2015-06-29 21:05:33 UTC
GLSA Vote: Yes
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2015-06-29 21:11:38 UTC
CVE-2015-5078 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5078):
  SQL injection vulnerability in the insert function in
  application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows
  remote authenticated users to execute arbitrary SQL commands via the
  closedate parameter.

CVE-2015-0412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  remote attackers to affect confidentiality, integrity, and availability via
  vectors related to JAX-WS.

CVE-2015-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality, integrity, and
  availability via vectors related to RMI.

CVE-2015-0407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality via unknown vectors
  related to Swing.

CVE-2015-0400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  remote attackers to affect confidentiality via unknown vectors related to
  Libraries.

CVE-2015-0395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Hotspot.

CVE-2015-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25;
  Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local
  users to affect integrity and availability via unknown vectors related to
  Hotspot.

CVE-2014-6601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Hotspot.

CVE-2014-6593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25;
  Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote
  attackers to affect confidentiality and integrity via vectors related to
  JSSE.

CVE-2014-6591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591):
  Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75,
  6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via
  unknown vectors related to 2D, a different vulnerability than CVE-2014-6585.

CVE-2014-6587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  local users to affect confidentiality, integrity, and availability via
  unknown vectors related to Libraries.

CVE-2014-6585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality via unknown vectors
  reelated to 2D, a different vulnerability than CVE-2014-6591.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-06 12:49:35 UTC
Please Cleanup:
= dev-java/icedtea
6.1.13.5, 7.2.4.8
Comment 20 James Le Cuirot gentoo-dev 2015-07-11 11:02:11 UTC
ia64 has been dropped so 7.2.4.8 has now gone. Waiting to hear from gnu_andrew on the ppc64 issue before removing 6.1.13.5.
Comment 21 Kristian Fiskerstrand gentoo-dev Security 2015-07-16 14:44:00 UTC
GLSA Vote: Yes

New request filed
Comment 22 Andrew John Hughes 2015-07-17 01:22:06 UTC
What is the ppc64 issue with relation to 6? I'm only aware of issues with 7.

Note that the next batch of security updates - 1.13.8 & 2.5.6/2.6.1 will be out within the next week.
Comment 23 James Le Cuirot gentoo-dev 2015-07-17 07:44:00 UTC
(In reply to Andrew John Hughes from comment #22)
> What is the ppc64 issue with relation to 6? I'm only aware of issues with 7.

The problem is that I can't drop that version without something to replace it with. In truth, I could keyword the latest 6 but I had wanted to drop 6 now that 7 has HotSpot. It works much better. If a fix is proving elusive then I'll bite the bullet. I would have done it by now but I've been away.
Comment 24 James Le Cuirot gentoo-dev 2015-07-21 22:12:31 UTC
Upstream haven't been able to resolve the ppc64 issue so I've bitten the bullet and keyworded 6.1.13.7 whilst dropping 6.1.13.5. Sorry it took so long. Security team, please close this out now.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 23:41:03 UTC
This issue was resolved and addressed in
 GLSA 201603-14 at https://security.gentoo.org/glsa/201603-14
by GLSA coordinator Kristian Fiskerstrand (K_F).