Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711392 (CVE-2019-10181, CVE-2019-10185) - dev-java/icedtea-web: Multiple vulnerabilities (CVE-2019-{10181,10185})
Summary: dev-java/icedtea-web: Multiple vulnerabilities (CVE-2019-{10181,10185})
Status: CONFIRMED
Alias: CVE-2019-10181, CVE-2019-10185
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 3 votes (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [ebuild masked cve]
Keywords: PMASKED, PullRequest
Depends on:
Blocks:
 
Reported: 2020-03-02 23:40 UTC by Sam James
Modified: 2020-09-05 06:01 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-02 23:40:58 UTC
1) CVE-2019-10181

Description:
"It was found that executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox."

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181

2) CVE-2019-10185

Description:
"It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox."

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185
Comment 1 Larry the Git Cow gentoo-dev 2020-03-28 01:28:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47d73a57f4977023f20933ae06e0b974b4015078

commit 47d73a57f4977023f20933ae06e0b974b4015078
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-03-28 01:19:46 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-03-28 01:26:47 +0000

    profiles/package.mask: security mask dev-java/icedtea-web
    
    Bug: https://bugs.gentoo.org/711392
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eac78cad3ce3e5654e97a35369a7e0be05a1ff4b

commit eac78cad3ce3e5654e97a35369a7e0be05a1ff4b
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-03-28 01:17:15 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-03-28 01:26:46 +0000

    profiles/base/package.use.mask: security mask java[webstart]
    
    Bug: https://bugs.gentoo.org/711392
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 profiles/base/package.use.mask | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2020-03-28 01:43:20 UTC
Background: the build system has changed upstream and not many people seem to use this. Too much effort to fix for now. Someone can take it up if they want.

Thanks gyakovlev for masking.
Comment 3 Alexander Tsoy 2020-03-29 14:08:36 UTC
(In reply to Sam James (sam_c) (security padawan) from comment #2)
> not many people seem to use this
Java Web Start is still widely used in remote server management solutions.
Comment 4 Georgy Yakovlev gentoo-dev 2020-03-29 19:44:05 UTC
it'll remain masked and use.masked nevertheless.
not going to delete it, so users who still need it have an option to unmask.
Comment 5 Martin Dummer 2020-03-30 15:30:35 UTC
Hello,

(In reply to Georgy Yakovlev from comment #4)
> it'll remain masked and use.masked nevertheless.
> not going to delete it, so users who still need it have an option to unmask.

Yes indeed it is necessary for server remote management.
If you leave it masked without any update, then the mask message is quite inclear. 

# Georgy Yakovlev <gyakovlev@gentoo.org> (2020-03-27)
# Vulnerable old version of icedtea-web #711392
# new version uses maven + rust

I expected the newer version to be in the tree now. I visit bugzille here to find out why there is NO newer version. So please update the MASK message to inform users there is currently no new version, to keep them away from unnecessary searching like I did....

And, on the other hand, "Too much effort to fix for now. Someone can take it up if they want." practically means "maintainer needed", right?
Comment 6 Georgy Yakovlev gentoo-dev 2020-04-22 17:35:20 UTC
I've updated mask text to

> # Depends on vulnerable old version of icedtea-web #711392                                                                                                                                                                                                                                                            
> # new version is not packaged yet                                                                                                                                                                                                                                                                                     
> # package/useflag is not going away anytime soon,                                                                                                                                                                                                                                                                     
> # just masked. unmask as needed. 


New 2.0 version is pretty hard to package, yeah. Java already has bad enough dependency situation, but latest version of icedtea-web depends on rust and uses maven as it's build system. Pretty much the worst possible combination for an ebuild.

Some people show interest in bumping icedtea-web properly to version 1.8.3 (rust is optional in that one), I may have time to look at it later as well.

As soon as bump is done and we have new package I'll remove the mask.

I'm aware that javaws still widely used in some situations, and it was never my intention to completely remove it from gentoo.

But since it's vulnerable it's now disabled by default and masked, so people who really need it have to make a decision and take an extra action to install vulnerable pkg.
Comment 7 Alec Moskvin 2020-09-04 15:09:34 UTC
icedtea-web 2.0 is in alpha stages, but 1.8.4 has fixes for the CVE-2019-{10181,10182,10185}, and adding the rust dependency for it seems pretty straight-forward.

Here's my stab at it: https://github.com/gentoo/gentoo/pull/17413

I've tested Java Web Start with icedtea-3.16.0, and it works for me.
Comment 8 Larry the Git Cow gentoo-dev 2020-09-05 05:24:31 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd4ada8f3923f51e8028b136c276a6a3a079e80d

commit fd4ada8f3923f51e8028b136c276a6a3a079e80d
Author:     Alec Moskvin <alecm@gmx.com>
AuthorDate: 2020-09-04 14:00:41 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-09-05 05:20:31 +0000

    dev-java/icedtea-web: Bump to version 1.8.4
    
    Closes: https://bugs.gentoo.org/711392
    Signed-off-by: Alec Moskvin <alecm@gmx.com>
    Closes: https://github.com/gentoo/gentoo/pull/17413
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/icedtea-web/Manifest                 |  2 +
 dev-java/icedtea-web/icedtea-web-1.8.4.ebuild | 92 +++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d79c65a0c600776066d2e0ebe2d261a41c345d57

commit d79c65a0c600776066d2e0ebe2d261a41c345d57
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-09-05 04:32:54 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-09-05 05:23:43 +0000

    dev-java/icedtea-web: fix multiple qa issues in 1.8.4
    
    disabled a lot of useless/old functionality
    
    Bug: https://bugs.gentoo.org/711392
    Closes: https://bugs.gentoo.org/715316
    Closes: https://bugs.gentoo.org/684330
    Closes: https://github.com/gentoo/gentoo/pull/17413
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/icedtea-web/files/README.gentoo-r2   | 14 +++++
 dev-java/icedtea-web/icedtea-web-1.8.4.ebuild | 88 +++++++++++++--------------
 2 files changed, 57 insertions(+), 45 deletions(-)
Comment 9 Georgy Yakovlev gentoo-dev 2020-09-05 06:01:53 UTC
sorry, should not have closed.
new version in the tree, currently ~arch keyworded.
let's give it a time before stabilization.