1) CVE-2019-10181 Description: "It was found that executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox." Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181 2) CVE-2019-10185 Description: "It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox." Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47d73a57f4977023f20933ae06e0b974b4015078 commit 47d73a57f4977023f20933ae06e0b974b4015078 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-03-28 01:19:46 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-03-28 01:26:47 +0000 profiles/package.mask: security mask dev-java/icedtea-web Bug: https://bugs.gentoo.org/711392 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eac78cad3ce3e5654e97a35369a7e0be05a1ff4b commit eac78cad3ce3e5654e97a35369a7e0be05a1ff4b Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-03-28 01:17:15 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-03-28 01:26:46 +0000 profiles/base/package.use.mask: security mask java[webstart] Bug: https://bugs.gentoo.org/711392 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> profiles/base/package.use.mask | 9 +++++++++ 1 file changed, 9 insertions(+)
Background: the build system has changed upstream and not many people seem to use this. Too much effort to fix for now. Someone can take it up if they want. Thanks gyakovlev for masking.
(In reply to Sam James (sam_c) (security padawan) from comment #2) > not many people seem to use this Java Web Start is still widely used in remote server management solutions.
it'll remain masked and use.masked nevertheless. not going to delete it, so users who still need it have an option to unmask.
Hello, (In reply to Georgy Yakovlev from comment #4) > it'll remain masked and use.masked nevertheless. > not going to delete it, so users who still need it have an option to unmask. Yes indeed it is necessary for server remote management. If you leave it masked without any update, then the mask message is quite inclear. # Georgy Yakovlev <gyakovlev@gentoo.org> (2020-03-27) # Vulnerable old version of icedtea-web #711392 # new version uses maven + rust I expected the newer version to be in the tree now. I visit bugzille here to find out why there is NO newer version. So please update the MASK message to inform users there is currently no new version, to keep them away from unnecessary searching like I did.... And, on the other hand, "Too much effort to fix for now. Someone can take it up if they want." practically means "maintainer needed", right?
I've updated mask text to > # Depends on vulnerable old version of icedtea-web #711392 > # new version is not packaged yet > # package/useflag is not going away anytime soon, > # just masked. unmask as needed. New 2.0 version is pretty hard to package, yeah. Java already has bad enough dependency situation, but latest version of icedtea-web depends on rust and uses maven as it's build system. Pretty much the worst possible combination for an ebuild. Some people show interest in bumping icedtea-web properly to version 1.8.3 (rust is optional in that one), I may have time to look at it later as well. As soon as bump is done and we have new package I'll remove the mask. I'm aware that javaws still widely used in some situations, and it was never my intention to completely remove it from gentoo. But since it's vulnerable it's now disabled by default and masked, so people who really need it have to make a decision and take an extra action to install vulnerable pkg.
icedtea-web 2.0 is in alpha stages, but 1.8.4 has fixes for the CVE-2019-{10181,10182,10185}, and adding the rust dependency for it seems pretty straight-forward. Here's my stab at it: https://github.com/gentoo/gentoo/pull/17413 I've tested Java Web Start with icedtea-3.16.0, and it works for me.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd4ada8f3923f51e8028b136c276a6a3a079e80d commit fd4ada8f3923f51e8028b136c276a6a3a079e80d Author: Alec Moskvin <alecm@gmx.com> AuthorDate: 2020-09-04 14:00:41 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-09-05 05:20:31 +0000 dev-java/icedtea-web: Bump to version 1.8.4 Closes: https://bugs.gentoo.org/711392 Signed-off-by: Alec Moskvin <alecm@gmx.com> Closes: https://github.com/gentoo/gentoo/pull/17413 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/icedtea-web/Manifest | 2 + dev-java/icedtea-web/icedtea-web-1.8.4.ebuild | 92 +++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d79c65a0c600776066d2e0ebe2d261a41c345d57 commit d79c65a0c600776066d2e0ebe2d261a41c345d57 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-09-05 04:32:54 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-09-05 05:23:43 +0000 dev-java/icedtea-web: fix multiple qa issues in 1.8.4 disabled a lot of useless/old functionality Bug: https://bugs.gentoo.org/711392 Closes: https://bugs.gentoo.org/715316 Closes: https://bugs.gentoo.org/684330 Closes: https://github.com/gentoo/gentoo/pull/17413 Package-Manager: Portage-3.0.5, Repoman-3.0.1 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/icedtea-web/files/README.gentoo-r2 | 14 +++++ dev-java/icedtea-web/icedtea-web-1.8.4.ebuild | 88 +++++++++++++-------------- 2 files changed, 57 insertions(+), 45 deletions(-)
sorry, should not have closed. new version in the tree, currently ~arch keyworded. let's give it a time before stabilization.
Does not current icedtea-web-1.8.4-r1 build against whatever is the current system vm? I don't think 1.8.4 builds with java-11 ?
Emerging icedtea-web-1.8.4-r1 fails.
Created attachment 681577 [details] log
(In reply to Alexander from comment #12) > Created attachment 681577 [details] > log Please file a new bug for this
(In reply to John Helmert III (ajak) from comment #13) > (In reply to Alexander from comment #12) > > Created attachment 681577 [details] > > log > > Please file a new bug for this Discovered that it is already submitted: https://bugs.gentoo.org/763636
(In reply to Georgy Yakovlev from comment #9) > sorry, should not have closed. > new version in the tree, currently ~arch keyworded. > let's give it a time before stabilization. Ready?
Please either cleanup old or CC arches.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d41e3cc3fe9be81f8f0a999c94434df4b0dabff8 commit d41e3cc3fe9be81f8f0a999c94434df4b0dabff8 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-03-30 20:30:45 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-04-04 13:19:36 +0000 dev-java/icedtea-web: 1.6.1-r1 and 1.6.2 security cleanup Bug: https://bugs.gentoo.org/711392 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-java/icedtea-web/Manifest | 2 - dev-java/icedtea-web/files/README.gentoo-r1 | 56 -------------- .../files/icedtea-web-1.6-javadoc.patch | 11 --- .../files/icedtea-web-1.6-launchers.patch | 79 ------------------- .../icedtea-web/files/icedtea-web-1.6-no-hg.patch | 49 ------------ .../files/icedtea-web-1.6-respect-ldflags.patch | 20 ----- .../files/icedtea-web-1.6-unused-libs.patch | 20 ----- dev-java/icedtea-web/icedtea-web-1.6.1-r1.ebuild | 88 ---------------------- dev-java/icedtea-web/icedtea-web-1.6.2.ebuild | 86 --------------------- dev-java/icedtea-web/metadata.xml | 5 -- 10 files changed, 416 deletions(-)
x86 stable
ppc64 stable
amd64 done
arm64 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c3c1a7e9603fa0d2c8da0277d5dc95853f7ab44 commit 1c3c1a7e9603fa0d2c8da0277d5dc95853f7ab44 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-14 23:59:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-14 23:59:00 +0000 profiles: drop obsolete icedtea-web mask Bug: https://bugs.gentoo.org/711392 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 4 ---- 1 file changed, 4 deletions(-)
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-51 at https://security.gentoo.org/glsa/202107-51 by GLSA coordinator John Helmert III (ajak).
