Bug 9264

Summary: java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: dmorganec, sysadmin-bugs, wrw105
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: has_procedure mga2-32-ok MGA2-64-OK
Source RPM: java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-03-05 16:51:56 CET 
IcedTea7 2.3.8 is out, though it hasn't been released yet.

It likely fixes the same two CVEs that were just fixed in IcedTea6.

Updated packages uploaded for Mageia 2 and Cauldron.

Advisory to come later.

Updated RPMs:
java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-debug-1.7.0.6-2.3.8.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-05 16:54:30 CET 
Again!?
Comment 2 David Walser 2013-03-06 22:36:45 CET 
Finally, RedHat has issued their advisory:
https://rhn.redhat.com/errata/RHSA-2013-0602.html

This one still needs to be tested.  Here's the advisory (same CVEs as 6).

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

An integer overflow flaw was found in the way the 2D component handled
certain sample model instances. A specially-crafted sample model instance
could cause Java Virtual Machine memory corruption and, possibly, lead to
arbitrary code execution with virtual machine privileges (CVE-2013-0809).

It was discovered that the 2D component did not properly reject certain
malformed images. Specially-crafted raster parameters could cause Java
Virtual Machine memory corruption and, possibly, lead to arbitrary code
execution with virtual machine privileges (CVE-2013-1493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
https://rhn.redhat.com/errata/RHSA-2013-0602.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-debug-1.7.0.6-2.3.8.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2.src.rpm

Severity: normal => critical

Comment 3 claire robinson 2013-03-06 23:29:46 CET 
Testing complete mga2 32

# update-alternatives --config java

Select 1.7.0

$ javac HelloWorldApp.java
$ java HelloWorldApp
Hello World!

Whiteboard: (none) => has_procedure mga2-32-ok

Comment 4 Bill Wilkinson 2013-03-07 04:47:05 CET 
Testing complete mga2 64

HelloWorld app and OddEven work as expected.

Keywords: (none) => validated_update
CC: (none) => wrw105
Whiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok MGA2-64-OK

Comment 5 Bill Wilkinson 2013-03-07 04:48:21 CET 
validating.

Advisory and package list in comment 2.

can someone from the sysadmin team please push from core/updates_testing to core/updates?

Thanks!
Comment 6 David Walser 2013-03-07 13:46:43 CET 
Thanks Bill.  Please remember to CC sysadmin-bugs when validating.

CC: (none) => sysadmin-bugs

Comment 7 D Morgan 2013-03-09 01:59:09 CET 
Update pushed: 
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0088

Status: NEW => RESOLVED
CC: (none) => dmorganec
Resolution: (none) => FIXED