Bug 18235

Summary: java-1.8.0-openjdk new security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: brtians1, nicolas.salguero, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/684597/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5.src.rpm CVE:
Status comment:
Attachments: Shell script to download the missing files

Description David Walser 2016-04-21 20:43:58 CEST 
RedHat has issued an advisory on April 20:
https://rhn.redhat.com/errata/RHSA-2016-0650.html

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Updates building now, hopefully successfully.

Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerabilities:

Multiple flaws were discovered in the Serialization and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws to
completely bypass Java sandbox restrictions (CVE-2016-0686, CVE-2016-0687).

It was discovered that the RMI server implementation in the JMX component in
OpenJDK did not restrict which classes can be deserialized when deserializing
authentication credentials. A remote, unauthenticated attacker able to connect
to a JMX port could possibly use this flaw to trigger deserialization flaws
(CVE-2016-3427).

It was discovered that the JAXP component in OpenJDK failed to properly handle
Unicode surrogate pairs used as part of the XML attribute values. Specially
crafted XML input could cause a Java application to use an excessive amount of
memory when parsed (CVE-2016-3425).

It was discovered that the GCM (Galois/Counter Mode) implementation in the JCE
component in OpenJDK used a non-constant time comparison when comparing GCM
authentication tags. A remote attacker could possibly use this flaw to
determine the value of the authentication tag (CVE-2016-3426).

It was discovered that the Security component in OpenJDK failed to check the
digest algorithm strength when generating DSA signatures. The use of a digest
weaker than the key strength could lead to the generation of signatures that
were weaker than expected (CVE-2016-0695).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
https://rhn.redhat.com/errata/RHSA-2016-0650.html
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5
java-1.8.0-openjdk-headless-1.8.0.91-1.b14.1.mga5
java-1.8.0-openjdk-devel-1.8.0.91-1.b14.1.mga5
java-1.8.0-openjdk-demo-1.8.0.91-1.b14.1.mga5
java-1.8.0-openjdk-src-1.8.0.91-1.b14.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.91-1.b14.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.91-1.b14.1.mga5

from java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.src.rpm
Comment 1 David Walser 2016-04-21 20:44:18 CEST 
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-04-21 20:51:19 CEST 
Same problem as last time.

Nicolas, can you help with this again?  Maybe rather than regenerating the whole tarball, just make an additional source that includes the missing files.

CC: (none) => nicolas.salguero
Whiteboard: has_procedure => has_procedure feedback

Comment 3 Nicolas Salguero 2016-04-22 12:48:18 CEST 
Created attachment 7691 [details]
Shell script to download the missing files

Hi,

The additional source would also need to be updated because the missing files may have been updated since the previous version.

I made a little shell script (which requires mercurial and wget packages to work) to get the missing files from the corresponding version.

I think that, if we use that script, we should add this command in %prep section, after the line "%setup ...":
"tar xjf %{SOURCEx} -C openjdk/jdk --strip-components=1 --overwrite".

Best regards,

Nico.
Comment 4 David Walser 2016-04-22 14:17:02 CEST 
I think it could be constructed in such a way that it could be added as an additional source argument to %setup so that it wouldn't need another command.
Comment 5 Nicolas Salguero 2016-04-22 16:49:39 CEST 
I was not able to find the right syntax for %setup macro so I used the "tar ..." command given in comment 3, sorry.

I also added "%patch400" in Cauldron version otherwise build failed on "make zip-docs" (I put the line at the same place as in fedora SPEC file).

Now, the build is successful.
Comment 6 David Walser 2016-04-22 18:23:14 CEST 
OK, thanks again for the help Nicolas!

Whiteboard: has_procedure feedback => has_procedure

Comment 7 Brian Rockwell 2016-04-22 19:51:08 CEST 
[brian@localhost ~]$ uname -a
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:05:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

----installation----

The following 3 packages are going to be installed:

- java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64
- java-1.8.0-openjdk-devel-1.8.0.91-1.b14.1.mga5.x86_64
- java-1.8.0-openjdk-headless-1.8.0.91-1.b14.1.mga5.x86_64

18KB of additional disk space will be used.

36MB of packages will be retrieved.

-------------------

Before installation

[brian@localhost ~]$ java -version
openjdk version "1.8.0_77"
OpenJDK Runtime Environment (build 1.8.0_77-b03)
OpenJDK 64-Bit Server VM (build 25.77-b03, mixed mode)


After installation

[brian@localhost ~]$ java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

Ran Eclipse


Go into Help | Installation Details | Configuration

sun.arch.data.model=64
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/classes
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/amd64
sun.cpu.endian=little


Seems to be working properly to me.

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 8 Brian Rockwell 2016-04-23 00:35:21 CEST 
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:37:30 UTC 2016 i686 i686 i686 GNU/Linux


The following 6 packages are going to be installed:

- java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.i586
- java-1.8.0-openjdk-demo-1.8.0.91-1.b14.1.mga5.i586
- java-1.8.0-openjdk-devel-1.8.0.91-1.b14.1.mga5.i586
- java-1.8.0-openjdk-headless-1.8.0.91-1.b14.1.mga5.i586
- java-1.8.0-openjdk-javadoc-1.8.0.91-1.b14.1.mga5.noarch
- java-1.8.0-openjdk-src-1.8.0.91-1.b14.1.mga5.i586

93MB of additional disk space will be used.

96MB of packages will be retrieved.


openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK Server VM (build 25.91-b14, mixed mode)




followed links Bill provided:

http://www.java.com/en/download/installed.jsp

Verified Java Version
Completion checkmark
Congratulations!


You have the recommended Java installed (Version 8 Update 91).


http://javatester.org/version.html

Successful!

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Brian Rockwell 2016-04-23 00:36:10 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2016-04-23 14:41:03 CEST 
Nice testing Brian. Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 10 Mageia Robot 2016-04-25 09:58:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0149.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED