Bug 9256 - java-1.6.0-openjdk new security issues fixed in IcedTea6 1.11.9
: java-1.6.0-openjdk new security issues fixed in IcedTea6 1.11.9
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/541565/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-05 04:08 CET by David Walser
Modified: 2013-03-09 02:15 CET (History)
2 users (show)

See Also:
Source RPM: java-1.6.0-openjdk-1.6.0.0-38.b24.1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-03-05 04:08:23 CET
IcedTea6 has been released, fixing two security issues:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html

Oracle has also released an emergency update of Java 6/7, citing one of these issues as being actively exploited in the wild (CVE-2013-1493):
http://freecode.com/projects/sunjdk/releases/352794

Updated package uploaded for Mageia 2.

Advisory to come later.

Updated RPMs:
java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-demo-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-devel-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-javadoc-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-src-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-debug-1.6.0.0-39.b24.1.mga2

from java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-05 10:48:39 CET
Is openjdk affected by this..

"Oracle notes that Java 6u43 will be the last publicly available update for Java 6 and advises users to upgrade to Java 7. The public availability of Java 6 updates was supposed to end with Java 6 Update 41, released on Feb. 19, but it seems the company made an exception for this emergency patch."

Given the rate of critical java updates this last month we should prepare to move if necessary before the next one hits.
Comment 2 claire robinson 2013-03-05 11:00:35 CET
Testing complete mga2 64

Tested with icedtea-web and java test page
http://www.java.com/en/download/testjava.jsp
Comment 3 claire robinson 2013-03-05 11:12:32 CET
Oops forgot this bit.

Testing complete mga2 32

Validating

Advisory TBC, srpm comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 4 David Walser 2013-03-05 15:31:49 CET
No announcements from RedHat or the upstream blog yet, so here's what I have for now.

Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

An integer overflow flaw was found in the way the 2D component handled certain
sample model instances.  A specially-crafted sample model instance could cause
Java Virtual Machine memory corruption and, possibly, lead to arbitrary code
execution with the virtual machine privileges (CVE-2013-0809).

It was discovered that the CMM part of the 2D component did not properly
reject certain malformed images.  Specially-crafted raster parameters could
cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary
code execution with the virtual machine privileges (CVE-2013-1493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0809
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1493
========================

Updated packages in core/updates_testing:
========================
java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-demo-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-devel-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-javadoc-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-src-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-debug-1.6.0.0-39.b24.1.mga2

from java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2.src.rpm
Comment 5 David Walser 2013-03-05 15:42:15 CET
(In reply to claire robinson from comment #1)
> Is openjdk affected by this..

You mean the fact that Java 6 is now EOL at Oracle?

I've been wondering the same thing, I don't know what the IcedTea people are planning, and if they can/will continue to support IcedTea6.  If not, we'll have to switch icedtea-web to use java-1.7.0-openjdk at some point.
Comment 6 David Walser 2013-03-06 19:42:55 CET
Ubuntu has issued an advisory for this on March 5:
http://www.ubuntu.com/usn/usn-1755-1/

I'll use their CVE descriptions for the final advisory.

This can be pushed now.

Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

It was discovered that OpenJDK did not properly validate certain types
of images. A remote attacker could exploit this to cause OpenJDK to crash
(CVE-2013-0809).

It was discovered that OpenJDK did not properly check return values when
performing color conversion for images. If a user were tricked into
opening a crafted image with OpenJDK, such as with the Java plugin, a
remote attacker could cause OpenJDK to crash or execute arbitrary code
outside of the Java sandbox with the privileges of the user invoking the
program (CVE-2013-1493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
http://www.ubuntu.com/usn/usn-1755-1/
========================

Updated packages in core/updates_testing:
========================
java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-demo-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-devel-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-javadoc-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-src-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-debug-1.6.0.0-39.b24.1.mga2

from java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2.src.rpm
Comment 7 David Walser 2013-03-06 22:34:18 CET
Finally, RedHat has issued their advisory:
https://rhn.redhat.com/errata/RHSA-2013-0605.html

Using theirs for reference again, final advisory this time :o)


Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

An integer overflow flaw was found in the way the 2D component handled
certain sample model instances. A specially-crafted sample model instance
could cause Java Virtual Machine memory corruption and, possibly, lead to
arbitrary code execution with virtual machine privileges (CVE-2013-0809).

It was discovered that the 2D component did not properly reject certain
malformed images. Specially-crafted raster parameters could cause Java
Virtual Machine memory corruption and, possibly, lead to arbitrary code
execution with virtual machine privileges (CVE-2013-1493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
https://rhn.redhat.com/errata/RHSA-2013-0605.html
========================

Updated packages in core/updates_testing:
========================
java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-demo-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-devel-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-javadoc-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-src-1.6.0.0-39.b24.1.mga2
java-1.6.0-openjdk-debug-1.6.0.0-39.b24.1.mga2

from java-1.6.0-openjdk-1.6.0.0-39.b24.1.mga2.src.rpm
Comment 8 David Walser 2013-03-08 19:28:12 CET
(In reply to David Walser from comment #5)
> (In reply to claire robinson from comment #1)
> > Is openjdk affected by this..
> 
> You mean the fact that Java 6 is now EOL at Oracle?
> 
> I've been wondering the same thing, I don't know what the IcedTea people are
> planning, and if they can/will continue to support IcedTea6.  If not, we'll
> have to switch icedtea-web to use java-1.7.0-openjdk at some point.

RedHat is going to continue to support OpenJDK6:
http://www.redhat.com/about/news/press-archive/2013/3/red-hat-reinforces-java-commitment
Comment 9 D Morgan 2013-03-09 02:13:23 CET
update pushed: 
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0089
Comment 10 D Morgan 2013-03-09 02:15:15 CET
closing

Note You need to log in before you can comment on or make changes to this bug.