From owner-freebsd-java@FreeBSD.ORG Thu May 6 18:51:15 2010 Return-Path: Delivered-To: java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 21FC0106564A; Thu, 6 May 2010 18:51:15 +0000 (UTC) (envelope-from nox@jelal.kn-bremen.de) Received: from smtp.kn-bremen.de (gelbbaer.kn-bremen.de [78.46.108.116]) by mx1.freebsd.org (Postfix) with ESMTP id A3F3E8FC0C; Thu, 6 May 2010 18:51:14 +0000 (UTC) Received: by smtp.kn-bremen.de (Postfix, from userid 10) id 27E851E0021A; Thu, 6 May 2010 20:50:56 +0200 (CEST) Received: from triton8.kn-bremen.de (noident@localhost [127.0.0.1]) by triton8.kn-bremen.de (8.14.3/8.14.3) with ESMTP id o46Im0nA020852; Thu, 6 May 2010 20:48:00 +0200 (CEST) (envelope-from nox@triton8.kn-bremen.de) Received: (from nox@localhost) by triton8.kn-bremen.de (8.14.3/8.14.3/Submit) id o46Im0q9020849; Thu, 6 May 2010 20:48:00 +0200 (CEST) (envelope-from nox) Date: Thu, 6 May 2010 20:48:00 +0200 (CEST) From: Juergen Lock Message-Id: <201005061848.o46Im0q9020849@triton8.kn-bremen.de> To: freebsd@knarf.de X-Newsgroups: local.list.freebsd.ports In-Reply-To: <20100503130401.GA54358@server-king.de> Organization: home Cc: java@freebsd.org, freebsd-ports@freebsd.org Subject: Re: portaudit prevents installation of linux-sun-jdk16 (and java browser plugins) X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2010 18:51:15 -0000 In article <20100503130401.GA54358@server-king.de> you write: >I've sent the following email to java@freebsd.org & secteam@FreeBSD.org >one month ago, but I got no answer. > >The same problem still exists with linux-sun-jdk-1.6.0.20. > >Date: Mon, 29 Mar 2010 00:48:36 +0200 >To: java@freebsd.org, secteam@FreeBSD.org >Subject: portaudit prevents installation of linux-sun-jdk16 > >Hi java@freebsd.org & secteam@FreeBSD.org, > >I think this is both a java and a portaudit issue. > >I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6: > >http://www.java.com/en/download/faq/firefox_newplugin.xml > Does that actually work for you in Linux ff? Here I just get either the applet replaced with a grey box or a hung ff depending on which version of Linux ff I try... (I tried 3.5.8 and 3.5.9 i.e. the www/linux-firefox-devel port as well as several ff 3.6 and 3.7 Linux builds off mozilla.org simply run from the extracted dir; It does work in linux-opera as well as in both the kde3 and the kde4 versions of konqueror so I guess its not the Linuxolator's fault alone...) If you want to see for yourself the new plugin is in /usr/local/linux-sun-jdk1.6.0/jre/lib/i386/libnpjp2.so - symlink that into ~/.mozilla/plugins and then go to e.g. http://www.java.com/en/download/help/testvm.xml with Linux ff. And the old plugin in /usr/local/linux-sun-jdk1.6.0/jre/plugin/i386/ns7/libjavaplugin_oji.so hangs Linux ff 3.5.9 too - and obviously doesn't work in ff >= 3.6. Oh and the old native plugin, /usr/local/diablo-jdk1.6.0/jre/plugin/amd64/ns7/libjavaplugin_oji.so does work in native ff 3.5, just not in 3.6 of course because of the api change. >So had a look at the versions of /usr/ports/java/*jdk16* on my >FreeBSD machine. > >linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that >meets the requirements. But if I try to make it, portaudit prevents >the build: > >===> linux-sun-jdk-1.6.0.18 has known vulnerabilities: >=> jdk -- jar directory traversal vulnerability. > Reference: .html> > >But if I have a look at the reference URL, 1.6 does not seem to be >affected. I did a portaudit -F in order to make sure my database >is up to date. > >So is this a false positive that should get fixed? > >There was a PR on this in 2007: > >http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat= > >The reason for this PR to get closed was it was reproducable with >linux-sun-jdk-1.6.0.02. > >http://freebsd.monkey.org/freebsd-java/200708/msg00101.html > >My open questions: > >1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have >a bad.jar, but I'm willing to test. > Turns out it actually still is (wtf!!), also linux-sun-jdk-1.6.0.20 which I just updated to if I do the test mentioned in: http://www.securiteam.com/securitynews/5IP0C0AFGW.html [...] zsh triton8% rm /tmp/test zsh triton8% /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar [...] inflated: ../../../../tmp/test zsh: killed /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar zsh triton8% echo $? 137 zsh triton8% ls -l /tmp/test -rw-r--r-- 1 nox wheel 3 May 6 18:32 /tmp/test zsh triton8% (and the SIGKILL is strange too.) >2. Shouldn't >http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get >updated in order to make clear at least linux-sun-jdk-1.6.0.02 was >vulnerable? > >3. Why does portaudit think it's vulnerable even if the auditfile >does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18? > >$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile >jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability >linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability ..and this is because linux-sun-jdk15 has had its PORTEPOCH bumped twice (the ,2), while linux-sun-jdk16 has no PORTEPOCH yet, so 1.6.0.18 is considered smaller than 1.5.2.02,2. (And once there actually _is_ a linux-sun-jdk16 version where this bug is fixed I guess we'd have to do seperate ranges like: 1.5.*1.6.42 1.5.*,11.5.2.02,1 1.5.*,21.5.2.02,2 ) HTH, Juergen