|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-1029: (Java) privilege escalation with Java Plug-in in JRE/SDK | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sonja Krause-Harder <skh> |
| Component: | Incidents | Assignee: | Sonja Krause-Harder <skh> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | pmladek, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-1029: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
java2.patch.maintained
java2.patch.box |
||
|
Description
Sonja Krause-Harder
2004-11-24 20:41:44 UTC
Correction: There is a fixed 1.3.1 (1.3.1_13) as well. can you prepare java update packages please? 8.1 / SLES 8 --- 1.3.1_04 -> 1.3.1_13 8.2 --- 1.4.1_02 -> 1.4.2_06 9.0 --- 1.4.2 -> 1.4.2_06 9.1 / SLES 9 --- 1.4.2_03 -> 1.4.2_06 9.2 --- 1.4.2_05 -> 1.4.2_06 Packages have been submitted to /work/src/done. Packages have now also been submitted for sles8-slec-i386 and 8.1-x86_84 Please note that for sles8-slec-i386 (SuSE Linux Desktop) this means a version upgrade from 1.4.1 to 1.4.2, which might affect certifications. There's also a java2 package for ppc but regardles of what rpm -i says this one contains a Blackdown Java. Sun Java for ia64 doesn't contain the plugin. CAN-2004-1029 Created attachment 26500 [details]
java2.patch.maintained
box patchinfo,
no ppc - blackdown java is used here
no ia64 - plugin not included
Created attachment 26501 [details]
java2.patch.box
box patchinfo
Removed 8.2-i386 and sles8-slec-i386 from the above patchinfos. Patchinfos for 8.2-i386 and sles8-slec-i386 have to be (re-)submitted after packages checked in. BlackdownJava2-JRE is affected too, see: http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2004-01.txt If I'm not mistaken, this package is only present on SLEC and 8.2-i386. The fix is an update 1.4.1 -> 1.4.2 with the known and maybe unknown side effects. I'm preparing updated packages and wait for a decision from somewhere. BlackdownJava2-JRE for SLEC and 8.2-i386 is ready for submission and works fine on my test machine. Rejected all patchinfo besides 9.2* as there are problem with the browser plugin. I had to reject all distribution besides 9.2 due to the mix in the various patchinfos. 9.2 is ok, Sonja said. PING Pong. I'm in the process of finding out for which versions I can provide a working update at all. Sorry for the delay, stay tuned. Last status (basically unchanged from what I told Harald and Marcus): java-1_4_2-sun: 9.2: submitted version tested, works java2-jre: 9.1: tested as submitted, works SLES 9: not tested, same as 9.1, should work as submitted 8.2, SLEC: released package does not contain a working java plugin anyway, and I did not succeed in packaging the new one so that it works after the update without manual intervention. This is due to the problem described in #48701 8.1, SLES8: released package does not contain a working java plugin anyway, and I did not succeed in getting the new one to work even with manual intervention BlackdownJava2-JRE: 8.2, SLEC: released packages contain a vulnerable java, but I didn't succeed in packaging the new version so that it works after the update without manual intervention, see #48701. Could someone please tell me what to do now? Petr, any suggestions would be very welcome. I have already written my opinion to Sonja:
Regarding java2-jre and 8.2/SLEC:
---------------------------------
I have checked the /opt/mozilla/add-plugins.sh and there is the following code:
[...]
GCC3=1
[...]
if [ "$PLUGIN" ]; then
if [ $GCC3 -eq 1 ]; then # only Blackdown is usable yet
for i in $PLUGIN; do
if [[ $i == *mozilla* ]]; then
TMP=$i
break
fi
done
So, the script ignores plugins from java2-jre. It is because they were compiled
with gcc, version 1.9x and were not compatible with mozilla compiled with gcc,
version 3.x.
This is not correct now because java2-jre provides the plugin compiled with gcc,
version 3.2 (in the subdir ns610-gcc32).
I see the following possibilities:
1. You can ignore this problem because the plugin from java2-jre was newer
configured.
2. You can ask Wolfgang to update the add-plugins.sh to by able to configure
the new java2-jre plugin. But it would be a problem because it means that both
packages (mozilla and java2-jre) must be updated.
3. You can create a hack in %post script of the package java2-jre, so it will
create the link itself. Note that it should not replace any existing and
working link.
You can use somethink like this (untested!!!):
%post jre
if [ ! -f /opt/mozilla/plugins/libjavaplugin_oji.so ]; then
rm -f /opt/mozilla/plugins/libjavaplugin_oji.so # this will remove a
potential invalid symlink which does not point to any file
ln -sf
/usr/lib/SunJava2-1.4.2/jre/plugin/i386/ns610-gcc32/libjavaplugin_oji.so
/opt/mozilla/plugins/libjavaplugin_oji.so
fi
Regarding java2-jre and 8.1/SLES8:
----------------------------------
You didn't told me that the plugin does not work. You told me that there
is the file /opt/mozilla/lib/plugins/libjavaplugin_oji.so which doesn't belong
to any package.
You found that it was created by a %post scipt from a newer mozilla package
which is accessible via YOU.
We decided that you can remove or rename the file the %post script of the new
java2-jre package.
Is there any new problem?
Regarding BlackdownJava2-JRE and 8.2, SLEC:
-------------------------------------------
Hmm, there is the bug in the mozilla package as described in #48701.
I see the following possibilities:
1. You can ask Wolfgang to fix the mozilla package. It would be a problem because it
means that both packages (mozilla and java2-jre) must be updated.
2. You can create a hack in %post script of the BlackdownJava2-JRE which will
remove the obsolete link (for the older version of the package) and create the
new one.
You can use something like this (untested!!!):
%post -n BlackdownJava2-JRE
if [ -L /opt/mozilla/plugins/libjavaplugin_oji.so -a "`linkto
/opt/mozilla/plugins/libjavaplugin_oji.so`" =
"/usr/lib/BlackdownJava2-1.4.1/jre/plugin/i386/mozilla/javaplugin_oji.so" ]; then
rm -f /opt/mozilla/plugins/libjavaplugin_oji.so
fi
if [ ! -f /opt/mozilla/plugins/libjavaplugin_oji.so ]; then
rm -f /opt/mozilla/plugins/libjavaplugin_oji.so # this will remove a
potential invalid symlink which does not point to any file
ln -sf
/usr/lib/BlackdownJava2-1.4.2/jre/plugin/i386/mozilla/libjavaplugin_oji.so
/opt/mozilla/plugins/libjavaplugin_oji.so
fi
Note that you really must create the new symlink in the %post script. It is
because, the add-plugins.sh script is started after this %post script and it
would add the symlink for the old version of the package again. If you create a
new good link then the add-plugins.sh script will leave it as is.
-------------------------------------------------
IMHO, I would add add the %post scripts in all cases. So, it could work after
the update.
I do not know if there is a new problem in the second case (java2-jre and
8.1/SLES8). Is it?
Petr, I have tried the changes to %post you suggested above but they did not work. I'd be happy to be proven wrong, please give it a try. Well, are there any machines where I could test it on SLEC and SLES8. Well, the scripts did not pass the build checks. It was needed to add a check for existence of the /opt/mozilla/plugins directory which is not avilable when the java packages are build and need not be installed even on the users machine. I have started with your packages which I taken from: chomsky:/local/packages/8.2-i386/BlackdownJava2-JRE chomsky:/local/packages/8.2-i386/java2 and added, fixed the %post install scripts. You can find the updated packages for SLD at ~pmladek/Export/java/SLD-1/ There are binaty packages and also the sources. It should solve the remaining problem on SLEC. I will look at the package for SLES8 on Monday. The problem with SLES8 is that it is complied using gcc-3.x and Sun Java JRE, version 1.3.x does not provide a pluggin compiled with such gcc version. The pluggin compiled with gcc-2.9x is not usable. Mozilla prints the following error message if it is used: LoadPlugin: failed to initialize shared library /opt/mozilla/lib/plugins/libjavaplugin_oji.so [/opt/mozilla/lib/plugins/libjavaplugin_oji.so: undefined symbol: __vt_17nsGetServiceByCID] LoadPlugin: failed to initialize shared library /opt/mozilla/lib/plugins/libjavaplugin_oji.so [/opt/mozilla/lib/plugins/libjavaplugin_oji.so: undefined symbol: __vt_17nsGetServiceByCID] This error messages (listing the symbol __vt_17nsGetServiceByCID) are typical for the gcc related roblem, see the bug 32461 for example. Well, the pluggin never worked and it won't work. The only possibility would be to update to JDK, 1.4.x. or to Blackdown java. There is only one problem, that the old vulnerable plugin was copied to /opt/mozilla/lib/plugins. We should replace it if it really comes from the older version of the package. We should not delete it because the user would use a self compiled mozilla using gcc-2.95. I have prepared the respective script: %pre jre # replace the older vulnerable mozilla plugin with a link to the new one # after an update if [ $1 -gt 1 -a -f /opt/mozilla/lib/plugins/libjavaplugin_oji.so ] && diff /opt/mozilla/lib/plugins/libjavaplugin_oji.so \ /usr/lib/SunJava2/jre/plugin/i386/ns600/libjavaplugin_oji.so >/dev/nul l 2>&1 ; then rm -f /opt/mozilla/lib/plugins/libjavaplugin_oji.so ln -sf /usr/lib/SunJava2/jre/plugin/i386/ns600/libjavaplugin_oji.so \ /opt/mozilla/lib/plugins/libjavaplugin_oji.so fi I have added this script to the package found at: /local/packages/8.1-i386/java2 You can found the updated version at: ~pmladek/Export/java/SLES8/java2 the 9.0 , 9.1, 9.2 and sles9 packages are already ok, so i submitted patchinfos for those (based on the ones below). swampid: 99 Sonja, did you test Petrs packages? I've submitted Petr's version for SLES8 / 8.1-i386 (thanks!). Please note that the testcase still will and must fail in QA due to the wrong-gcc-problem Petr mentioned above. to Comment #18: I tested the package built from ~pmladek/Export/SLD-1/BlackdownJava-JRE/ on 8.2-i386, but the problem with the disappearing link to the plugin (it is deleted by a mozilla %triggerun script, see Comment #14 or bug 63701), so I guess we have to wait for the mozilla update or just document the bug and get the security update out as it is now. Should have read: "...the problem with the disappearing link [...] is still there, so I guess...". Sorry. Submitted the latest (pmladek's) version of BlackdownJava2-JRE to SLEC and 8.2-i386. updates released. CVE-2004-1029: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) |