Bug 15706

Summary: java-1.7.0-openjdk new security issues fixed in IcedTea 2.5.5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/640410/
Whiteboard: has_procedure advisory MGA4-32-OK mga4-64-ok
Source RPM: java-1.7.0-openjdk-1.7.0.75-2.5.4.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-04-15 15:27:23 CEST 
RedHat has issued an advisory on April 14:
https://rhn.redhat.com/errata/RHSA-2015-0806.html

This corresponds to the latest Oracle Critical Patch Update:
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Here's the upstream IcedTea announcement:
http://blog.fuseyism.com/index.php/2015/04/15/security-icedtea-2-5-5-for-openjdk-7-released/

The Java 8 update for Cauldron is being handled in Bug 15703.

Updated package uploaded for Mageia 4.

Advisory:
========================

Updated java-1.7.0 packages fix security vulnerabilities:

An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions (CVE-2015-0469).

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0460).

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly (CVE-2015-0488).

A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions (CVE-2015-0477).

A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted (CVE-2005-1080, CVE-2015-0480).

It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures
(CVE-2015-0478).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488
http://blog.fuseyism.com/index.php/2015/04/15/security-icedtea-2-5-5-for-openjdk-7-released/
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
https://rhn.redhat.com/errata/RHSA-2015-0806.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.mga4
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.mga4
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.mga4
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.mga4
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.mga4
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.mga4
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.mga4

from java-1.7.0-openjdk-1.7.0.79-2.5.5.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-04-15 15:27:46 CEST 
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-04-15 16:24:30 CEST 
Working fine on Mageia 4 i586, showing 1.7.0_79.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

David Walser 2015-04-15 18:49:06 CEST

URL: (none) => http://lwn.net/Vulnerabilities/640410/

Comment 3 claire robinson 2015-04-15 18:53:11 CEST 
Working fine mga4 64 too

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 4 claire robinson 2015-04-15 18:56:49 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-04-15 19:23:26 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0158.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED