Bug 623905

Summary: VUL-0: openjdk: multiple security issues
Product: [openSUSE] openSUSE 11.1 Reporter: Matthias Weckbecker <mweckbecker>
Component: JavaAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P2 - High CC: security-team, wolfgang
Version: Final   
Target Milestone: Future/Later   
Hardware: Other   
OS: Other   
Whiteboard: . CVSSv2:NVD:CVE-2010-0837:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2010-0837:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 601243, 624057    
Deadline: 2010-08-24   

Description Matthias Weckbecker 2010-07-20 14:49:02 UTC 
Your friendly security team received the following report.
Please respond ASAP.
The issue is public.

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-April/008950.html
Comment 1 Matthias Weckbecker 2010-07-20 14:50:03 UTC 
  - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299)
  - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807)
  - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
  - (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes (6626217)
  - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
  - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
  - (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs (6887703)
  - (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
  - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
  - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
  - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
  - (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265)
  - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
  - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
  - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
  - (CVE-2009-3555): TLS: MITM attacks via session renegotiation
  - 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
  - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs
  - 6910590: Application can modify command array in ProcessBuilder
  - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
  - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
Comment 3 Michal Vyskocil 2010-07-30 09:42:32 UTC 
Submitted to:

head - 44266
11.3 - 44263
11.2 - 44265
11.1 - 44264

Move this bug to openSUSE 11.1 to make it public.
Comment 4 Michal Vyskocil 2010-08-03 08:49:45 UTC 
JFI: the 
http://blog.fuseyism.com/index.php/2010/07/28/icedtea6-181-released/

refers to the two CVEs in 1.8.1

# CVE-2010-2783, RH616895: IcedTea ‘Extended JNLP Services’ arbitrary file access
# CVE-2010-2548, RH616893: IcedTea Incomplete property access check for unsigned applications
Comment 7 Ludwig Nussel 2010-08-10 14:20:48 UTC 
The link in comment#0 and therefore the cve list in comment#1 are bogus. They refer to icedtea 1.7.2. We are talking about a version update to icedtea 1.8.1 as noted in comment#4 here.
Comment 8 Swamp Workflow Management 2010-08-10 14:29:09 UTC 
The SWAMPID for this issue is 35073.
This issue was rated as moderate.
Please submit fixed packages until 2010-08-24.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 Michal Vyskocil 2010-08-11 07:14:11 UTC 
(In reply to comment #7)
> The link in comment#0 and therefore the cve list in comment#1 are bogus. They
> refer to icedtea 1.7.2. We are talking about a version update to icedtea 1.8.1
> as noted in comment#4 here.

Ludwig, comment#0 and comment#1 refers to the icedtea6-1.8.0, so they are valid! If you visit the attachment [1] of the announcement [2] email from comment#0, you find a lot of icedtea6-1.8 strings. So list of CVEs in comment#1 is valid for this update too.

[1] http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20100414/58d9f1ef/attachment-0001.txt
[2] http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-April/008950.html
Comment 10 Ludwig Nussel 2010-08-11 07:23:19 UTC 
we claim to have fixed those cve numbers in the previous update already though. So we can hardly release another update that fixes the same cves again.
Comment 11 Michal Vyskocil 2010-08-11 07:44:00 UTC 
Hi Ludwig,

you're right, the 1.8.0 release contains the same fixes as 1.7.2 we already released. So the valid list is only CVEs from comment#4
Comment 12 Swamp Workflow Management 2010-08-26 11:34:28 UTC 
Update released for: java-1_6_0-openjdk, java-1_6_0-openjdk-debuginfo, java-1_6_0-openjdk-debugsource, java-1_6_0-openjdk-demo, java-1_6_0-openjdk-demo-debuginfo, java-1_6_0-openjdk-devel, java-1_6_0-openjdk-devel-debuginfo, java-1_6_0-openjdk-javadoc, java-1_6_0-openjdk-plugin, java-1_6_0-openjdk-plugin-debuginfo, java-1_6_0-openjdk-src
Products:
openSUSE 11.1 (debug, i586, ppc, x86_64)
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 13 Thomas Biege 2010-08-26 11:35:04 UTC 
released
Comment 14 Bernhard Wiedemann 2016-04-15 12:50:07 UTC 
This is an autogenerated message for OBS integration:
This bug (623905) was mentioned in
https://build.opensuse.org/request/show/44263 11.3:Test / java-1_6_0-openjdk
https://build.opensuse.org/request/show/44264 11.1 / java-1_6_0-openjdk
https://build.opensuse.org/request/show/44265 11.2:Test / java-1_6_0-openjdk
https://build.opensuse.org/request/show/44266 Factory / java-1_6_0-openjdk