Bug 18069 - java-1.8.0-openjdk new security issue CVE-2016-0636
Summary: java-1.8.0-openjdk new security issue CVE-2016-0636
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/681387/
Whiteboard: has_procedure advisory MGA5-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-03-25 17:10 CET by David Walser
Modified: 2016-04-06 16:10 CEST (History)
4 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-1.8.0.72-1.b15.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-03-25 17:10:42 CET
RedHat has issued an advisory on March 24:
https://rhn.redhat.com/errata/RHSA-2016-0513.html

One of their patches includes a private nss header that it should not.  Some references about this:
https://bugzilla.mozilla.org/show_bug.cgi?id=206926
https://bugzilla.redhat.com/show_bug.cgi?id=675196
https://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/2014-July/016117.html

Hopefully it builds fine without the patch.

Updated packages building for Mageia 5 and Cauldron.

Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerability:

An improper type safety check was discovered in the Hotspot component. An
untrusted Java application or applet could use this flaw to bypass Java
Sandbox restrictions (CVE-2016-0636).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0636
https://rhn.redhat.com/errata/RHSA-2016-0513.html
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-headless-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-devel-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-demo-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-src-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.77-1.b03.1.mga5

from java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5.src.rpm
Comment 1 David Walser 2016-03-25 17:10:54 CET
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-03-25 21:18:05 CET
Even with reverting all of the changes that depend on their hacked up nss packages that expose private headers, it still doesn't build, saying it can't find ecc_impl.h in jdk/src/share/native/sun/security/ec/impl/, even though it's there.

CC: (none) => qa-bugs
Assignee: qa-bugs => pkg-bugs

Comment 3 Pascal Terjan 2016-03-25 21:55:29 CET
the failure is that it can not find ecl-exp.h, included by ecc_impl.h, and indeed it does not exist

CC: (none) => pterjan

Comment 4 Pascal Terjan 2016-03-25 21:57:52 CET
+#ifdef SYSTEM_NSS
+#include <secitem.h>
+#include <secerr.h>
+#include <keythi.h>
+#ifdef LEGACY_NSS
+#include <softoken.h>
+#else
+#include <blapi.h>
+#endif
+#else
+#include "ecl-exp.h"
+#endif

So having SYSTEM_NSS set would avoid that, else we need that header.
Comment 5 Pascal Terjan 2016-03-25 22:08:14 CET
Hmm the patch is disabled, but actually it was already included without the patch, the patch is only moving the file from openjdk/jdk/src/share/native/sun/security/ec/ecc_impl.h to openjdk/jdk/src/share/native/sun/security/ec/impl/ecc_impl.h but the inclusion of ecl-exp.h is already there in openjdk sources without patch.
Comment 6 Pascal Terjan 2016-03-25 22:17:22 CET
lib64nss-devel:/usr/include/nss/ecl-exp.h

So -I/usr/include/nss would probably work but that seems strange

I actually failed to find what this header is needed for, but I would suggest trying one of those:
- Adding the patch + --enable-system-nss
- Removing the include
Comment 7 David Walser 2016-03-25 22:21:28 CET
The system nss thing doesn't build because it depends on blapi.h, a private NSS header that's not shipped in the package, as I mentioned in Comment 0.  It basically is dependent on Fedora's packaging of it.
Comment 8 Pascal Terjan 2016-03-25 22:45:00 CET
I don't know why the file is not in the tarball, it seems to exist in the hg tree:

http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/20f2ccffa30f/src/share/native/sun/security/ec/impl/ecl-exp.h

Specfile says:

# aarch64-port now contains integration forest of both aarch64 and normal jdk
# Source from upstream OpenJDK8 project. To regenerate, use
# VERSION=aarch64-jdk8u77-b03 FILE_NAME_ROOT=aarch64-port-jdk8u-${VERSION}
# REPO_ROOT=<path to checked-out repository> generate_source_tarball.sh
# where the source is obtained from http://hg.openjdk.java.net/%%{project}/%%{repo}

But even in the aarch64-port project, the file is there:

http://hg.openjdk.java.net/aarch64-port/jdk8u/jdk/file/9331bfc2d798/src/share/native/sun/security/ec/impl
Comment 9 David Walser 2016-03-25 22:47:08 CET
Probably because of the generate_source_tarball.sh that they use to generate the tarball, as stated in the comments you quoted.  From that script:

mv -v jdk/src/share/native/sun/security/ec/impl/ecc_impl.h .
rm -vrf jdk/src/share/native/sun/security/ec/impl
mkdir jdk/src/share/native/sun/security/ec/impl
mv -v ecc_impl.h jdk/src/share/native/sun/security/ec/impl
David Walser 2016-03-28 16:52:07 CEST

URL: (none) => http://lwn.net/Vulnerabilities/681387/

Comment 10 Nicolas Salguero 2016-04-02 15:30:14 CEST
Hi,

I tried to build openjdk and I went to the conclusion that we have two options:
  - Use the system nss patches: in that case, we have to build nss like fedora does (the build not only needs blapi.h but also /usr/lib64/libfreebl.a because /usr/lib64/libfreebl.so.3 does not contain the necessary symbols).
  - Add all the missing files from 
http://hg.openjdk.java.net/aarch64-port/jdk8u/jdk/file/9331bfc2d798/src/share/native/sun/security/ec/impl in the tarball and do not use the system nss patches (and I am not sure patch 12 is needed either).

As the first solution uses a static library and not a dynamic one, I do not see any interest in changing the way we package nss and I think the second solution is easier.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 11 Nicolas Salguero 2016-04-04 15:10:31 CEST
Hi,

On my machine, I was able to build openjdk without patch 12 but with a "complete" tarball (with all the missing files in src/share/native/sun/security/ec/impl) for mga5.

If no one disagrees with my method, I can commit my modifications in mga5 and cauldron and launch the build.

Best regards,

Nico.
Comment 12 Pascal Terjan 2016-04-04 15:17:47 CEST
Yes using the tarball with the files not removed seems the right way to do it
Comment 13 Nicolas Salguero 2016-04-04 16:19:58 CEST
So I did it.
Nicolas Salguero 2016-04-04 16:20:56 CEST

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 14 Rémi Verschelde 2016-04-04 17:48:50 CEST
Thanks Nicolas, please remember to give a list of all RPMs and SRPMs when assigning an update candidate to the QA team. See:
- Policy: https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29
- Example: https://bugs.mageia.org/show_bug.cgi?id=16998#c0
Comment 15 Nicolas Salguero 2016-04-04 17:53:18 CEST
Sorry, I did not give it because I thought the list given in comment 0 was sufficient:

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-headless-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-devel-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-demo-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-src-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.77-1.b03.1.mga5

from java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5.src.rpm
Comment 16 Rémi Verschelde 2016-04-04 18:08:27 CEST
My bad, it was indeed sufficient, I had overlooked it. But now it's cristal clear :)
Comment 17 David Walser 2016-04-04 22:51:35 CEST
Thanks Nicolas!

I just remembered that I intended to update icedtea-web the next time that I updated this package.  Version 1.6.2 is a bugfix release.

Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerability:

An improper type safety check was discovered in the Hotspot component. An
untrusted Java application or applet could use this flaw to bypass Java
Sandbox restrictions (CVE-2016-0636).

Also, the icedtea-web package has been updated to version 1.6.2 to fix all
known issues in the Java browser plugin.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0636
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2016-February/034831.html
https://rhn.redhat.com/errata/RHSA-2016-0513.html
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-headless-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-devel-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-demo-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-src-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.77-1.b03.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.77-1.b03.1.mga5
icedtea-web-1.6.2-1.mga5
icedtea-web-javadoc-1.6.2-1.mga5

from SRPMS:
java-1.8.0-openjdk-1.8.0.77-1.b03.1.mga5.src.rpm
icedtea-web-1.6.2-1.mga5.src.rpm
Comment 18 David Walser 2016-04-04 23:57:48 CEST
Cisco ASDM and some Java plugin tests work fine.  Even the one on java.com works again!  Testing complete Mageia 5 x86_64.

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 19 David Walser 2016-04-05 04:43:44 CEST
Tested fine on Mageia 5 i586 as well.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 20 claire robinson 2016-04-06 10:12:35 CEST
Validating, thanks David.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 21 claire robinson 2016-04-06 10:17:53 CEST
advisory uploaded

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 22 Mageia Robot 2016-04-06 16:10:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0130.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.