Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 85804 - dev-java/sun-jdk: Java Web Start argument injection vulnerability
Summary: dev-java/sun-jdk: Java Web Start argument injection vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+]
Depends on:
Reported: 2005-03-18 11:37 UTC by Jan Brinkmann (RETIRED)
Modified: 2005-03-24 13:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jan Brinkmann (RETIRED) gentoo-dev 2005-03-18 11:37:17 UTC

Java Web Start is a technology for easy client-side deployment of Java
applications. "Using Java Web Start technology, standalone Java
software applications can be deployed with a single click over the
network" (from Sun Microsystems's website).

Java Web Start is installed with Java Runtime Environment (JRE). During
installation, file type associations are added to make web browsers
automatically (with a single click) open Java Web Start's .JNLP files
(the behavior may vary between different web browsers).

There is a vulnerability in the way Web Start handles Java system
properties defined in JNLP files. A malicious user can pass command
line arguments to the Java virtual machine. They can be used to disable
the Java "sandbox" and compromise the system. The attack can be carried
out when the victim user views a web page crafted by the attacker.



Java Web Start in J2SE 1.4.2 releases prior 1.4.2_07 are vulnerable.
J2SE 5.0 and later, and releases prior to 1.4.2 are NOT vulnerable.


The complete message can be found here:

1.4.2_07 is already in the tree.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-18 11:53:50 UTC
Would the sun-jre also be affected ?
Comment 2 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-18 11:58:26 UTC
i think so, since the jre also provides javaws (the java webstart binary)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-24 13:45:51 UTC
GLSA 200503-28