Bug 28874 - java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk new security issues
Summary: java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk new security issues
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Java Stack Maintainers
QA Contact: Sec team
Depends on:
Blocks: 29145
  Show dependency treegraph
Reported: 2021-05-04 10:22 CEST by Nicolas Salguero
Modified: 2021-06-16 23:15 CEST (History)
4 users (show)

See Also:
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk
CVE: CVE-2021-2161, CVE-2021-2163
Status comment:

urpmi --test log up until canceled (213.74 KB, text/plain)
2021-06-13 23:34 CEST, Dave Hodgins
urpmi --debug log (167.71 KB, text/plain)
2021-06-15 22:43 CEST, Dave Hodgins

Nicolas Salguero 2021-05-04 10:24:01 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
CVE: (none) => CVE-2021-2161, CVE-2021-2163
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk

Comment 1 Aurelien Oudelet 2021-05-04 15:33:46 CEST
Hi, thanks reporting this.
Assigning to Java Stack maintainers.

CC: (none) => ouaurelien
Assignee: bugsquad => java

Comment 2 Nicolas Lécureuil 2021-05-04 17:16:21 CEST
ok, taking it.

CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2021-05-20 15:16:31 CEST
            - copy-jdk-configs-4.0-1.mga7
            - java-1.8.0-openjdk-
            - copy-jdk-configs-4.0-1.mga8
            - java-1.8.0-openjdk-

Java 11 in progress.
Comment 4 Dave Hodgins 2021-05-21 01:59:42 CEST
Fails to install in Mageia 7 i586 ...
A requested package cannot be installed:
copy-jdk-configs-4.0-1.mga7.noarch (due to unsatisfied /usr/bin/lua)

Not clear why ...
# ll /usr/bin/lua*
lrwxrwxrwx 1 root root     21 Sep 25  2020 /usr/bin/lua -> /etc/alternatives/lua*
-rwxr-xr-x 1 root root 234180 Sep  2  2020 /usr/bin/lua5.2*
lrwxrwxrwx 1 root root     22 Sep 25  2020 /usr/bin/luac -> /etc/alternatives/luac*
-rwxr-xr-x 1 root root 158468 Sep  2  2020 /usr/bin/luac5.2*
[root@i7v ~]# ll /etc/alternatives/lua
lrwxrwxrwx 1 root root 15 Sep 25  2020 /etc/alternatives/lua -> /usr/bin/lua5.2*

CC: (none) => davidwhodgins

Comment 5 Nicolas Lécureuil 2021-05-26 15:57:55 CEST
            - timezone-2021a-1.1.mga7
            - copy-jdk-configs-4.0-1.1.mga7
            - java-1.8.0-openjdk-
            - copy-jdk-configs-4.0-1.mga8
            - java-1.8.0-openjdk-
Comment 6 David Walser 2021-05-26 18:12:48 CEST
Nicolas, you need to build the mga7 timezone update without the subrel.
Comment 7 Dave Hodgins 2021-05-27 00:36:12 CEST
Also on Mageia 7 ...
Sorry, the following package cannot be selected:

- java-1.8.0-openjdk- (due to unsatisfied libXcomposite(x86-64))

# rpm -q --provides lib64xcomposite1
lib64xcomposite1 = 0.4.5-1.mga7
lib64xcomposite1(x86-64) = 0.4.5-1.mga7
libxcomposite = 0.4.5

That's not a problem on Mageia 8 ...
$ rpm -q --provides lib64xcomposite1
lib64xcomposite1 = 0.4.5-3.mga8
lib64xcomposite1(x86-64) = 0.4.5-3.mga8
libXcomposite(x86-64) = 0.4.5
libxcomposite = 0.4.5
Comment 8 Dave Hodgins 2021-05-27 03:07:57 CEST
Now getting ...
Sorry, the following package cannot be selected:

- java-1.8.0-openjdk- (due to unsatisfied xorg-x11-fonts-Type1)

# urpmq -y xorg-x11|grep font|sort -u
[root@x3 ~]# rpm -q --provides xorg-x11-100dpi-fonts
XFree86-100dpi-fonts = 7.7-8.mga7
xorg-x11-100dpi-fonts = 7.7-8.mga7
xorg-x11-100dpi-fonts(x86-64) = 7.7-8.mga7

# rpm -q --provides xorg-x11-75dpi-fonts
XFree86-75dpi-fonts = 7.7-8.mga7
xorg-x11-75dpi-fonts = 7.7-8.mga7
xorg-x11-75dpi-fonts(x86-64) = 7.7-8.mga7

# urpmq -y Type1
No package named Type1
# urpmq -y type1
Comment 9 David Walser 2021-06-01 03:48:16 CEST
java-1.8.0-openjdk is still not installable, causing rootcerts not to be buildable for the Firefox update.
Comment 10 Dave Hodgins 2021-06-01 16:49:08 CEST
Adding sysadmin team to cc list.

Please remove java-1.8.0-openjdk- and it's
associated rpm packages from the Mageia 7 Core Updates Testing repositories.

CC: (none) => sysadmin-bugs

Comment 11 Dave Hodgins 2021-06-13 20:40:03 CEST

To get this security update going again, I recommend splitting it into two. One
for Mageia 7 and one for Mageia 8.

The Mageia 8 update looks ready to go.

The Mageia 7 update either needs to be redone using the starting with the
latest working Mageia 7 srpm, or it also has to include all of the packages
used as dependencies of openjdk that have changed names between Mageia 7 and 8.
Another option for Mageia 7 is to simply drop this update for it since m7 will
reach end of support in a little over 2 weeks.

Regardless, the java-1.8.0-openjdk- and associated
rpm packages need to be removed from the Mageia 7 updates testing repos.
Comment 12 Nicolas Lécureuil 2021-06-13 22:52:54 CEST
why remove java-1.8.0-openjdk- from repos ? 
It still does not install ? i removed all and fixed/rebuilded.

for mageia 8 i need to understand why java11 fails to bundle all the files :)
Comment 13 Dave Hodgins 2021-06-13 23:34:19 CEST
Created attachment 12771 [details]
urpmi --test log up until canceled

I wasn't aware it had been rebuilt. It is still not ok.
Attaching the urpmi log up until I canceled.
Comment 14 Nicolas Lécureuil 2021-06-14 09:58:51 CEST
thank you for the log, i found an error.

Btw new java 11 available on cauldron, i backport on mga8
Comment 15 Nicolas Lécureuil 2021-06-15 15:25:08 CEST
can you test new java8 on mga7 please ?
Comment 16 Dave Hodgins 2021-06-15 18:01:39 CEST
Still fails ...
installed java-1.8.0-openjdk- is conflicting because of unsatisfied libjvm.so()(64bit)
installed java-1.8.0-openjdk- is conflicting because of unsatisfied libjvm.so(SUNWprivate_1.1)(64bit)
installed java-1.8.0-openjdk- is conflicting because of unsatisfied libjava.so(SUNWprivate_1.1)(64bit)
installed java-1.8.0-openjdk- is conflicting because of unsatisfied libjli.so(SUNWprivate_1.1)(64bit)
installed java-1.8.0-openjdk- is conflicting because of unsatisfied libjava.so()(64bit)
installed java-1.8.0-openjdk- is conflicting because of unsatisfied libawt.so()(64bit)
installed java-1.8.0-openjdk- is conflicting because of unsatisfied libjli.so()(64bit)
Comment 17 Nicolas Lécureuil 2021-06-15 21:51:42 CEST
please provide the whole logs, this part isn't useful.
Comment 18 Nicolas Lécureuil 2021-06-15 21:52:22 CEST
java11 mageia 8 

         - java-11-openjdk-
Comment 19 Dave Hodgins 2021-06-15 22:43:43 CEST
Created attachment 12774 [details]
urpmi --debug log

full urpmi --debug log

Attachment 12771 is obsolete: 0 => 1

Comment 20 Dave Hodgins 2021-06-15 22:44:12 CEST
On Mageia 8 the update installs cleanly.
Comment 21 Nicolas Lécureuil 2021-06-16 21:38:46 CEST
Comment 22 Nicolas Lécureuil 2021-06-16 21:39:12 CEST
can you tell me on mageia 7 what requires "libjawt.so(SUNWprivate_1.1)(64bit)" ?

they will need a rebuild
Nicolas Lécureuil 2021-06-16 21:47:25 CEST

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Nicolas Lécureuil 2021-06-16 21:47:53 CEST

Blocks: (none) => 29145

Nicolas Lécureuil 2021-06-16 21:48:22 CEST

Blocks: 29145 => (none)
Whiteboard: MGA7TOO => (none)
Version: 8 => 7

Comment 23 Dave Hodgins 2021-06-16 23:13:26 CEST
urpmq --whatrequires only works with package names, not files or provides as far as I know.

While the command urpmq --whatprovides 'libjawt.so(SUNWprivate_1.1)(64bit)'
does show that the java openjdk package provides the file, I don't know of
any way to find which packages require the file.

The command 'urpmq --whatrequires-recursive java-1.8.0-openjdk' shows which
packages requires it by package name, but it's missing things like libreoffice
that require by file name/arch.

I suspect that a search is the Mageia svn repo will be required to find all of
the package names.
Nicolas Lécureuil 2021-06-16 23:15:20 CEST

Blocks: (none) => 29145

Note You need to log in before you can comment on or make changes to this bug.