Date: Thu, 6 May 2010 20:48:00 +0200 (CEST) From: Juergen Lock <nox@jelal.kn-bremen.de> To: freebsd@knarf.de Cc: java@freebsd.org, freebsd-ports@freebsd.org Subject: Re: portaudit prevents installation of linux-sun-jdk16 (and java browser plugins) Message-ID: <201005061848.o46Im0q9020849@triton8.kn-bremen.de> In-Reply-To: <20100503130401.GA54358@server-king.de>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <20100503130401.GA54358@server-king.de> you write: >I've sent the following email to java@freebsd.org & secteam@FreeBSD.org >one month ago, but I got no answer. > >The same problem still exists with linux-sun-jdk-1.6.0.20. > >Date: Mon, 29 Mar 2010 00:48:36 +0200 >To: java@freebsd.org, secteam@FreeBSD.org >Subject: portaudit prevents installation of linux-sun-jdk16 > >Hi java@freebsd.org & secteam@FreeBSD.org, > >I think this is both a java and a portaudit issue. > >I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6: > >http://www.java.com/en/download/faq/firefox_newplugin.xml > Does that actually work for you in Linux ff? Here I just get either the applet replaced with a grey box or a hung ff depending on which version of Linux ff I try... (I tried 3.5.8 and 3.5.9 i.e. the www/linux-firefox-devel port as well as several ff 3.6 and 3.7 Linux builds off mozilla.org simply run from the extracted dir; It does work in linux-opera as well as in both the kde3 and the kde4 versions of konqueror so I guess its not the Linuxolator's fault alone...) If you want to see for yourself the new plugin is in /usr/local/linux-sun-jdk1.6.0/jre/lib/i386/libnpjp2.so - symlink that into ~/.mozilla/plugins and then go to e.g. http://www.java.com/en/download/help/testvm.xml with Linux ff. And the old plugin in /usr/local/linux-sun-jdk1.6.0/jre/plugin/i386/ns7/libjavaplugin_oji.so hangs Linux ff 3.5.9 too - and obviously doesn't work in ff >= 3.6. Oh and the old native plugin, /usr/local/diablo-jdk1.6.0/jre/plugin/amd64/ns7/libjavaplugin_oji.so does work in native ff 3.5, just not in 3.6 of course because of the api change. >So had a look at the versions of /usr/ports/java/*jdk16* on my >FreeBSD machine. > >linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that >meets the requirements. But if I try to make it, portaudit prevents >the build: > >===> linux-sun-jdk-1.6.0.18 has known vulnerabilities: >=> jdk -- jar directory traversal vulnerability. > Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a >.html> > >But if I have a look at the reference URL, 1.6 does not seem to be >affected. I did a portaudit -F in order to make sure my database >is up to date. > >So is this a false positive that should get fixed? > >There was a PR on this in 2007: > >http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat= > >The reason for this PR to get closed was it was reproducable with >linux-sun-jdk-1.6.0.02. > >http://freebsd.monkey.org/freebsd-java/200708/msg00101.html > >My open questions: > >1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have >a bad.jar, but I'm willing to test. > Turns out it actually still is (wtf!!), also linux-sun-jdk-1.6.0.20 which I just updated to if I do the test mentioned in: http://www.securiteam.com/securitynews/5IP0C0AFGW.html [...] zsh triton8% rm /tmp/test zsh triton8% /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar [...] inflated: ../../../../tmp/test zsh: killed /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar zsh triton8% echo $? 137 zsh triton8% ls -l /tmp/test -rw-r--r-- 1 nox wheel 3 May 6 18:32 /tmp/test zsh triton8% (and the SIGKILL is strange too.) >2. Shouldn't >http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get >updated in order to make clear at least linux-sun-jdk-1.6.0.02 was >vulnerable? > >3. Why does portaudit think it's vulnerable even if the auditfile >does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18? > >$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile >jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability ..and this is because linux-sun-jdk15 has had its PORTEPOCH bumped twice (the ,2), while linux-sun-jdk16 has no PORTEPOCH yet, so 1.6.0.18 is considered smaller than 1.5.2.02,2. (And once there actually _is_ a linux-sun-jdk16 version where this bug is fixed I guess we'd have to do seperate ranges like: <range><ge>1.5.*</ge><le>1.6.42</le></range> <range><ge>1.5.*,1</ge><le>1.5.2.02,1</le></range> <range><ge>1.5.*,2</ge><le>1.5.2.02,2</le></range> ) HTH, Juergen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201005061848.o46Im0q9020849>