Bug 24293 - java-1.8.0-openjdk new security issues
Summary: java-1.8.0-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-01 22:48 CET by David Walser
Modified: 2019-02-28 15:58 CET (History)
6 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-1.8.0.191-1.b12.2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-02-01 22:48:25 CET
The January Oracle CPU for 2019 is out:
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA

It looks like Fedora is preparing the update in the master branch now, so we should resync with it.
David Walser 2019-02-01 22:48:32 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Nicolas Salguero 2019-02-07 13:21:07 CET
Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Vulnerability in the Java Advanced Management Console component of Oracle Java SE (subcomponent: Server). The supported version that is affected is Java Advanced Management Console: 2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java Advanced Management Console. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java Advanced Management Console, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java Advanced Management Console accessible data as well as unauthorized read access to a subset of Java Advanced Management Console accessible data. (CVE-2019-2540)

An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. (CVE-2018-11212)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2426)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). The supported version that is affected is Java SE: 8u192. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2019-2449)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2019-2422)

References:
========================
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2422
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-demo-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-accessibility-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6

from SRPMS:
java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 6

Nicolas Salguero 2019-02-07 13:24:01 CET

CC: (none) => nicolas.salguero
Source RPM: java-1.8.0-openjdk => java-1.8.0-openjdk-1.8.0.191-1.b12.2.mga6.src.rpm

Comment 2 Herman Viaene 2019-02-08 10:56:26 CET
MGA6-32 MATE on IBM Thinkpad R50e
Not possible to install java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6.
openjfx seems to be at 1.8.0.201-1.b08.3.mga6 and that blocks the installation. And openjfx gets an error because of the presence of openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6.i586)

CC: (none) => herman.viaene

Comment 3 Nicolas Salguero 2019-02-08 16:02:59 CET
Hi,

Did you try to install all the packages or just some of them?

If you want to install java-1.8.0-openjdk-openjfx, you also need to install java-1.8.0-openjdk-openjfx-devel and java-1.8.0-openjfx.

On my machine (x86_64), I got no problem when I installed:
java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjfx-1.8.0.201-1.b08.3.mga6
java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6

Best regards,

Nico.
Comment 4 Herman Viaene 2019-02-08 16:12:56 CET
@ Nicolas,

I tried to install the packages as indicated in this bug and the update big on jfx. But as usual I leave out (space!!) the develop packages.
But if packages are needed, shouldn't that show up as dependencies???
Comment 5 Nicolas Salguero 2019-02-08 16:33:34 CET
Yes it should:

rpm -q --requires java-1.8.0-openjfx|grep openj
"""
java-1.8.0-openjdk
java-1.8.0-openjdk-openjfx
java-1.8.0-openjdk-openjfx-devel
"""

rpm -q --requires java-1.8.0-openjdk-openjfx|grep openj
"""
java-1.8.0-openjdk(x86-64) = 1:1.8.0.201-1.b09.2.mga6
openjfx(x86-64)
"""

rpm -q --requires java-1.8.0-openjdk-openjfx-devel|grep openj
"""
java-1.8.0-openjdk-devel(x86-64) = 1:1.8.0.201-1.b09.2.mga6
openjfx-devel(x86-64)
"""
Comment 6 Len Lawrence 2019-02-09 00:58:00 CET
mga6, x86_64

Installed all packages pre-testing.  Several POC available.  Have collected files and shall test later.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2019-02-09 10:05:09 CET
Tracked down 49 POC files and downloaded them from repositories:
https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a/Segmentation%20fault
https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a/Floating%20point%20exception

jmemm* for floating point exceptions
rdppm* for segmentation faults

Oracle's Java SE Risk Matrix tabulates these vulnerable components:

CVE-2019-2540    Server
CVE-2018-11212   ImageIO (libjpeg)
CVE-2019-2426    Networking
CVE-2019-2449    Deployment
CVE-2019-2422    Libraries

So, it looks like the 49 POC relate entirely to faults in the libjpeg library (they require cjpeg for testing) which seems like an entirely separate issue.
Not a lot of point in running them and as there are no tests for the other CVEs and this tester lacks java knowledge I am going to go for a clean update.

- java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-accessibility-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-demo-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6.noarch
- java-1.8.0-openjdk-javadoc-zip-1.8.0.201-1.b09.2.mga6.noarch
- java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjfx-1.8.0.201-1.b08.3.mga6.x86_64

$ java -version
openjdk version "1.8.0_201"
OpenJDK Runtime Environment (build 1.8.0_201-b09)
OpenJDK 64-Bit Server VM (build 25.201-b09, mixed mode)

Compiled some elementary scripts and ran them.
$ javac -cp ".:/usr/share/java/*" FreshJuiceTest.java
$ java FreshJuiceTest
Size: MEDIUM
$ javac -cp ".:/usr/share/java/*" Hello.java
$ java Hello
Hello World
$ javac -cp ".:/usr/share/java/*" helloworld.java
$ java helloworld
Hello World!

The last line was the response from the "Say 'Hello World'" button in the window which popped up.

Whiteboard: (none) => MGA6-64-OK

Comment 8 Herman Viaene 2019-02-09 10:35:27 CET
This time selected all packages of jdk and jfx in one go, all install OK.
Usual tests OK:
$ java -version
openjdk version "1.8.0_201"
OpenJDK Runtime Environment (build 1.8.0_201-b09)
OpenJDK Server VM (build 25.201-b09, mixed mode)

$ javac helloworld.java 
$ java helloworld 
Prism-ES2 Error : GL_VERSION (major.minor) = 1.3
Gtk-Message: Failed to load module "canberra-gtk-module"
Hello World!

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 9 Len Lawrence 2019-02-09 12:58:24 CET
Herman, that irritating message can be avoided if you
# urpmi libcanberra-gtk0
Comment 10 Thomas Andrews 2019-02-11 00:32:46 CET
Validating. Suggested advisory in Comment 1

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 David Walser 2019-02-11 13:34:15 CET
Fedora has issued an advisory for this today (February 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBCSRCXPFXMLIIXKX5OBGHGUOEGGERHS/

Please include that in the advisory References.
Dave Hodgins 2019-02-13 02:55:34 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 12 Mageia Robot 2019-02-13 12:10:39 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0071.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 13 David Walser 2019-02-28 15:58:22 CET
RedHat has issued an advisory for this today (February 28):
https://access.redhat.com/errata/RHSA-2019:0435

Note You need to log in before you can comment on or make changes to this bug.