Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 96229 - dev-java/blackdown-{jdk|jre} privilege escalation
Summary: dev-java/blackdown-{jdk|jre} privilege escalation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://blackdown.org/java-linux/java2...
Whiteboard: A2 [glsa | sparc-removed] jaervosz
Keywords:
Depends on:
Blocks: 96092
  Show dependency tree
 
Reported: 2005-06-15 17:09 UTC by Chad Patten
Modified: 2006-10-24 05:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chad Patten 2005-06-15 17:09:21 UTC
The Blackdown project's JDK and JRE for the x86 and AMD64 platforms is
vulnerable to the same privilege escalation bug that affects Sun JDK/JRE < 1.4.2_08.

Reproducible: Didn't try
Steps to Reproduce:




Please refer to reference security notice on Blackdown project's site.
Comment 1 Chad Patten 2005-06-15 17:19:36 UTC
A new version which fixes the vulnerability, 1.4.2-02, has been released by
blackdown.org.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-15 22:04:13 UTC
Java please bump. 
 
This is similar to bug #96092. 
Comment 3 Thomas Matthijs (RETIRED) gentoo-dev 2005-06-16 02:40:26 UTC
bumped too ~arch
haven't had time todo more then a basic test
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 08:56:19 UTC
From Blackdown :
Affected : Blackdown J2SE 1.4.2-01 and earlier 1.4 releases.  1.3.1 release are
not affected.

Target KEYWORDS :
blackdown-jdk-1.4.2.02 : x86 sparc amd64
blackdown-jre-1.4.2.02 : x86 sparc amd64
Comment 5 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-06-16 09:49:28 UTC
blackdown-jdk-1.4.2.02 is currently failing digest checks on the file from the
mirrors.  I don't know if the mirror is wrong or the digest is wrong.
Comment 6 Thomas Matthijs (RETIRED) gentoo-dev 2005-06-16 10:14:52 UTC
digest md5 is the same as on
http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2005-02.
txt
and all the mirrors i tried have the file with that md5
Comment 7 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-06-16 10:37:37 UTC
It was on amd64 (sorry, I didn't realize blackdown came in 64-bit versions) and
is now fixed.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2005-06-16 10:57:09 UTC
Blackdown never release 1.4.2* for sparc.
Is there a workaround for 1.4.1?
Comment 9 Jan Brinkmann (RETIRED) gentoo-dev 2005-06-16 11:36:39 UTC
stable on amd64 and x86
Comment 10 Jason Wever (RETIRED) gentoo-dev 2005-06-16 15:10:45 UTC
I sent an email off to Blackdown asking about a newer version of the JRE/JDK for
Linux/SPARC and the response was "1.4.2-02 for SPARC is mostly ready but there's
one show-stopping bug holding it up.".  So its possible there may be something
soon, but not sure when.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-06-17 02:55:23 UTC
We should issue a temporary GLSA with the current fixed versions which says 1.4
on sparc is vulnerable, then issue an update when the sparc version is released.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-06-19 12:03:29 UTC
GLSA 200506-14
Keeping open (enhancement scope) to remember to update the GLSA when sparc is fixed.
Comment 13 Jukka Palko 2005-06-20 05:33:28 UTC
# emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.02"

These are the packages that I would merge, in order:

Calculating dependencies   
!!! All ebuilds that could satisfy ">=dev-java/blackdown-jre-1.4.2.02" have been
masked.
!!! One of the following masked packages is required to complete your request:
- dev-java/blackdown-jre-1.4.2.02 (masked by: -* keyword)

For more information, see MASKED PACKAGES section in the emerge man page or 
section 2.2 "Software Availability" in the Gentoo Handbook.

http://www.gentoo.org/security/en/glsa/glsa-200506-14.xml
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-20 05:42:39 UTC
Jan, please mark jre asap. 
Comment 15 Thomas Matthijs (RETIRED) gentoo-dev 2005-06-20 05:57:08 UTC
keyworded x86 & amd64
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-20 06:33:12 UTC
Thx Thomas, back to enhancement, waiting for fixed Sparc version. 
Comment 17 Adir Abraham 2005-11-15 03:42:09 UTC
Any news with the Sparc version?
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-15 04:48:18 UTC
No.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2006-03-22 12:39:20 UTC
Any news on a sparc version?
Comment 20 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-22 14:13:45 UTC
You should check www.blackdown.org, and the answer is no.
Note that the current stable profile (2006.0/2.4) has java masked entirely, so when the previous ones are gone it can be safely nuked.
Comment 21 Petteri Räty (RETIRED) gentoo-dev 2006-07-30 00:02:29 UTC
(In reply to comment #20)
> You should check www.blackdown.org, and the answer is no.
> Note that the current stable profile (2006.0/2.4) has java masked entirely, so
> when the previous ones are gone it can be safely nuked.
> 

When do you plan on removing the previous ones?
Comment 22 Jason Wever (RETIRED) gentoo-dev 2006-07-30 08:48:37 UTC
When 2006.1 ships
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-05 05:26:58 UTC
Jason any news on this one?
Comment 24 Gustavo Zacarias (RETIRED) gentoo-dev 2006-09-05 08:17:20 UTC
We'll deprecate the 2005.1 profile later today, send a mail with a 30-day warning period and nuke java keywords/old profiles then.
Comment 25 Gustavo Zacarias (RETIRED) gentoo-dev 2006-10-05 11:27:28 UTC
the sparc cleanup is done, removed all java-dependant keywords from ebuilds and nuked the old profiles.
feel free to call us back if you feel nostalgic or something ;)
Comment 26 Matt Drew (RETIRED) gentoo-dev 2006-10-24 05:15:46 UTC
So ... do we even need a GLSA update on this now that sparc has been purged?  Close it?
Comment 27 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-24 05:29:14 UTC
Thanks Matt.  indeed the policy doesn't talk about this configuration in which a package has been removed for the unpatched architecture. I think no GLSA nor GLSA-update is needed to be sent. And the note in GLSA 200506-14 is still true:

"Note to SPARC users: There is no stable secure Blackdown Java for the SPARC architecture. Affected users should remove the package until a SPARC package is released. "

So I close that bug (finally :)  ) . Feel free to reopen if you disagree.