Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 May 2010 15:04:01 +0200
From:      Frank Bartels <freebsd@knarf.de>
To:        freebsd-ports@freebsd.org
Subject:   portaudit prevents installation of linux-sun-jdk16
Message-ID:  <20100503130401.GA54358@server-king.de>

next in thread | raw e-mail | index | archive | help

--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline

I've sent the following email to java@freebsd.org & secteam@FreeBSD.org
one month ago, but I got no answer.

The same problem still exists with linux-sun-jdk-1.6.0.20.

Date: Mon, 29 Mar 2010 00:48:36 +0200
To: java@freebsd.org, secteam@FreeBSD.org
Subject: portaudit prevents installation of linux-sun-jdk16

Hi java@freebsd.org & secteam@FreeBSD.org,

I think this is both a java and a portaudit issue.

I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6:

http://www.java.com/en/download/faq/firefox_newplugin.xml

So had a look at the versions of /usr/ports/java/*jdk16* on my
FreeBSD machine.

linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that
meets the requirements. But if I try to make it, portaudit prevents
the build:

===>  linux-sun-jdk-1.6.0.18 has known vulnerabilities:
=> jdk -- jar directory traversal vulnerability.
   Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a
.html>

But if I have a look at the reference URL, 1.6 does not seem to be
affected. I did a portaudit -F in order to make sure my database
is up to date.

So is this a false positive that should get fixed?

There was a PR on this in 2007:

http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat=

The reason for this PR to get closed was it was reproducable with
linux-sun-jdk-1.6.0.02.

http://freebsd.monkey.org/freebsd-java/200708/msg00101.html

My open questions:

1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have
a bad.jar, but I'm willing to test.

2. Shouldn't
http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get
updated in order to make clear at least linux-sun-jdk-1.6.0.02 was
vulnerable?

3. Why does portaudit think it's vulnerable even if the auditfile
does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18?

$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile
jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk<=1.3.1.0_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk-freebsd6<=i386.1.5.0.07.00|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability

Thanks for listening,
Knarf

--gBBFr7Ir9EOA20Yy
Content-Type: application/x-pkcs7-signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIIR4AYJKoZIhvcNAQcCoIIR0TCCEc0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
DxIwggfiMIIFyqADAgECAgEOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYD
VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0
ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE
ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUg
U2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0
ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLKIVFnAEs+xny
q6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQA7Xj9AGM6wgP
hEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQgKO19b+R
t8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj113yK
Mm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU
euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTAD
AQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1Ud
IwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQG
A1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh
dGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmC
AQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5z
dGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYI
KwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUF
BwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYB
BQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xp
bWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyog
b2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFi
bGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEB
BAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEA
HvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8pROEc
GU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4
ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJ
SCfB9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt
7KYkJCaTe6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98
p/SwnXito+GW0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkF
ojhUqGt+VyU3GH/+BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQP
YIu+zpzwWC/8sZFxoJCwvbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh8
6VDNL8bIIQE2LHVDwcOq+mcQx416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302g
onaFdwi++YyqjPyhPO6q4fRarYvWyqp5L6UwggcoMIIGEKADAgECAgIBVjANBgkqhkiG9w0B
AQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29t
IENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTA5MDcyODAwMDAw
MVoXDTEwMDcyODIzNTk1OVowgZYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xEDAO
BgNVBAcTB011bmNoZW4xLTArBgNVBAsTJFN0YXJ0Q29tIFZlcmlmaWVkIENlcnRpZmljYXRl
IE1lbWJlcjEWMBQGA1UEAxMNRnJhbmsgQmFydGVsczEdMBsGCSqGSIb3DQEJARYOa25hcmZA
a25hcmYuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLWCmP9KDwAsUohjL8
tYwuvEVu3pnXZBit+oNuqBTzxC9vcR1CTZau0JZdOl/PTr94TClr0c6a1RntmRv8TFthge51
No/zY6gImSe6TDhgvBzj3YTaHDm1Kes2zZKzvKCW+sbodAGn6KreAbhb9IiJ2QuL3d7yXcbM
jfMsRjfFCH/TOuRurjTPNUeEBbxMX0nJDpee9GPEbeIYBewjOyNviSfIm4Hy3OQ5GFeyEpo4
QQvi4oA2ZJpwfrzTParnRHI34CR8JDQQWqaFhd/uFOv2SKrFP6d6+BmcPy7pJSk8ItQ0ujQi
Po2N4TOn9aT7Qr0kxIi7nzHTKjM7epnArtFvAgMBAAGjggOGMIIDgjAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFHim
Q7xUVCq3zdFNCNHFIhmhY5WJMBkGA1UdEQQSMBCBDmtuYXJmQGtuYXJmLmRlMIGoBgNVHSME
gaAwgZ2AFK5Vg2/sMcq59x36r2sx88gd46y7oYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRl
IFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEO
MIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93
d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGvMBQWDVN0
YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9u
ICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9s
aWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1
Mi1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3Js
MIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j
b20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRz
c2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRw
Oi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAIVekIt/VS99FXJlHosC
30Dlv473hPN3TmCgsIUT43YW41sLUihkEaUgSl8YsRA2yR34hePf60W+zws0r/AuPTXRp/1r
xwvvov7DeCRaU27QkWNfc0VZ3S8b6ZbmfHjRyPAApwLG4hPnQeIBASnc2HBGTLOWtWRkPKM9
dkV46h9j6nOMHSkLZlGqVtlqXJU1rhWXTRww3WFYwRUC7uLqFyXdKjas7OEROiNKzTd5pY3K
Rz0weBXskU5fFcvw/vG6hm8FILyYR0gSQyRYQV/4GitN36R3/29crCkRZMJxhNI0h2/+L1rf
czn69fq4gnPeYYJmlTe0JMcawT6jvayqbP0xggKWMIICkgIBATCBkzCBjDELMAkGA1UEBhMC
SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl
cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJ
bnRlcm1lZGlhdGUgQ2xpZW50IENBAgIBVjAJBgUrDgMCGgUAoIHYMBgGCSqGSIb3DQEJAzEL
BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDUwMzEzMDQwMVowIwYJKoZIhvcNAQkE
MRYEFLymvpEofpCSf0UGTA0llmdHeNzfMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA
MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUA
BIIBABuIqXgvNE6WH9kclUC4xfX2R5xeNVsYDqtHRYBNr7OjuHQ52LbEG3n0wGJVbXjfPtMv
vDkdiOgeLbXg5LxebvmCASRK1yAgajxEfcTgCNjyG23t0fCE0r45ihHmb36b9PLu6uHovHDi
9WV7keCS24VcZFousgj8BLW+9uWzv2KesxTElMaM6G9ywvj3YMQp8w6CykEfQeSxh+5/oguz
UArlhAGlfGYZCPe6ZkecwsUGsG1lBWUwrov91qu32Q5tha/r2fxWyHtKFDmcIlgPF9SoN2/k
2clAEfm3EmaM/ppAeWuki7E7XW7eeamZMpOO+BBfT/+0t2+xEs3oLvffdwI=

--gBBFr7Ir9EOA20Yy--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100503130401.GA54358>