Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200411-38 ] Sun and Blackdown Java: Applet privilege escalation
Date: Mon, 29 Nov 2004 21:32:35
Message-Id: 200411292235.19289.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200411-38
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Sun and Blackdown Java: Applet privilege escalation
9 Date: November 29, 2004
10 Bugs: #72172, #72221
11 ID: 200411-38
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The Java plug-in security in Sun and Blackdown Java environments can be
19 bypassed to access arbitrary packages, allowing untrusted Java applets
20 to perform unrestricted actions on the host system.
21
22 Background
23 ==========
24
25 Sun and Blackdown both provide implementations of Java Development Kits
26 (JDK) and Java Runtime Environments (JRE). All these implementations
27 provide a Java plug-in that can be used to execute Java applets in a
28 restricted environment for web browsers.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 dev-java/sun-jdk < 1.4.2.06 >= 1.4.2.06
37 2 dev-java/sun-jre-bin < 1.4.2.06 >= 1.4.2.06
38 3 dev-java/blackdown-jdk < 1.4.2.01 >= 1.4.2.01
39 4 dev-java/blackdown-jre < 1.4.2.01 >= 1.4.2.01
40 -------------------------------------------------------------------
41 # Package 1 [dev-java/sun-jdk] only applies to x86 and AMD64
42 users.
43 # Package 2 [dev-java/sun-jre-bin] only applies to x86 and AMD64
44 users.
45 # Package 3 [dev-java/blackdown-jdk] only applies to x86 and
46 AMD64 users.
47 # Package 4 [dev-java/blackdown-jre] only applies to x86 and
48 AMD64 users.
49 -------------------------------------------------------------------
50 4 affected packages; please see the notes above...
51 -------------------------------------------------------------------
52
53 Description
54 ===========
55
56 All Java plug-ins are subject to a vulnerability allowing unrestricted
57 Java package access.
58
59 Impact
60 ======
61
62 A remote attacker could embed a malicious Java applet in a web page and
63 entice a victim to view it. This applet can then bypass security
64 restrictions and execute any command or access any file with the rights
65 of the user running the web browser.
66
67 Workaround
68 ==========
69
70 As a workaround you could disable Java applets on your web browser.
71
72 Resolution
73 ==========
74
75 All Sun JDK users should upgrade to the latest version:
76
77 # emerge --sync
78 # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.06"
79
80 All Sun JRE users should upgrade to the latest version:
81
82 # emerge --sync
83 # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.06"
84
85 All Blackdown JDK users should upgrade to the latest version:
86
87 # emerge --sync
88 # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jdk-1.4.2.01"
89
90 All Blackdown JRE users should upgrade to the latest version:
91
92 # emerge --sync
93 # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.01"
94
95 Note: You should unmerge all vulnerable versions to be fully protected.
96
97 References
98 ==========
99
100 [ 1 ] iDEFENSE Security Advisory 11.22.04
101 http://www.idefense.com/application/poi/display?id=158&type=vulnerabilities
102 [ 2 ] CAN-2004-1029
103 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029
104 [ 3 ] Blackdown Security Advisory 2004-01
105 http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2004-01.txt
106
107 Availability
108 ============
109
110 This GLSA and any updates to it are available for viewing at
111 the Gentoo Security Website:
112
113 http://security.gentoo.org/glsa/glsa-200411-38.xml
114
115 Concerns?
116 =========
117
118 Security is a primary focus of Gentoo Linux and ensuring the
119 confidentiality and security of our users machines is of utmost
120 importance to us. Any security concerns should be addressed to
121 security@g.o or alternatively, you may file a bug at
122 http://bugs.gentoo.org.
123
124 License
125 =======
126
127 Copyright 2004 Gentoo Foundation, Inc; referenced text
128 belongs to its owner(s).
129
130 The contents of this document are licensed under the
131 Creative Commons - Attribution / Share Alike license.
132
133 http://creativecommons.org/licenses/by-sa/2.0