Correction: 
 
There is a fixed 1.3.1 (1.3.1_13) as well. 

can you prepare java update packages please? 
 
8.1 / SLES 8 --- 1.3.1_04 -> 1.3.1_13 
 
8.2          --- 1.4.1_02 -> 1.4.2_06 
 
9.0          --- 1.4.2    -> 1.4.2_06 
9.1 / SLES 9 --- 1.4.2_03 -> 1.4.2_06 
9.2          --- 1.4.2_05 -> 1.4.2_06 

Packages have been submitted to /work/src/done. 

Packages have now also been submitted for sles8-slec-i386 and 8.1-x86_84 
 
Please note that for sles8-slec-i386 (SuSE Linux Desktop) this means a version 
upgrade from 1.4.1 to 1.4.2, which might affect certifications. 
 
There's also a java2 package for ppc but regardles of what rpm -i says this 
one contains a Blackdown Java. Sun Java for ia64 doesn't contain the plugin. 

CAN-2004-1029 

Created attachment 26500 [details]
java2.patch.maintained

box patchinfo, 

no ppc - blackdown java is used here
no ia64 - plugin not included

Created attachment 26501 [details]
java2.patch.box

box patchinfo

Removed 8.2-i386 and sles8-slec-i386 from the above patchinfos.

Patchinfos for 8.2-i386 and sles8-slec-i386 have to be (re-)submitted after
packages checked in.

BlackdownJava2-JRE is affected too, see: 
 
http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2004-01.txt 
 
If I'm not mistaken, this package is only present on SLEC and 8.2-i386. The 
fix is an update 1.4.1 -> 1.4.2 with the known and maybe unknown side effects. 
I'm preparing updated packages and wait for a decision from somewhere. 
 
 

BlackdownJava2-JRE for SLEC and 8.2-i386 is ready for submission and works 
fine on my test machine. 

Rejected all patchinfo besides 9.2* as there are problem with the browser plugin.

I had to reject all distribution besides 9.2 due to the mix in the various
patchinfos. 9.2 is ok, Sonja said.

PING 

Pong. I'm in the process of finding out for which versions I can provide a 
working update at all. Sorry for the delay, stay tuned. 
 
 

Last status (basically unchanged from what I told Harald and Marcus): 
 
java-1_4_2-sun: 
9.2: submitted version tested, works 
 
java2-jre: 
9.1: tested as submitted, works 
SLES 9: not tested, same as 9.1, should work as submitted 
8.2, SLEC: released package does not contain a working java plugin anyway, and 
I did not succeed in packaging the new one so that it works after the update 
without manual intervention. This is due to the problem described in #48701 
8.1, SLES8: released package does not contain a working java plugin anyway, 
and I did not succeed in getting the new one to work even with manual 
intervention 
 
BlackdownJava2-JRE: 
 
8.2, SLEC: released packages contain a vulnerable java, but I didn't succeed 
in packaging the new version so that it works after the update without manual 
intervention, see #48701. 
 
Could someone please tell me what to do now? Petr, any suggestions would be 
very welcome. 
 

I have already written my opinion to Sonja:

Regarding java2-jre and 8.2/SLEC:
---------------------------------
I have checked the /opt/mozilla/add-plugins.sh and there is the following code:
[...]
GCC3=1
[...]
  if [ "$PLUGIN" ]; then
    if [ $GCC3 -eq 1 ]; then # only Blackdown is usable yet
      for i in $PLUGIN; do
        if [[ $i == *mozilla* ]]; then
          TMP=$i
          break
        fi
      done

So, the script ignores plugins from java2-jre. It is because they were compiled
with gcc, version 1.9x and were not compatible with mozilla compiled with gcc,
version 3.x.

This is not correct now because java2-jre provides the plugin compiled with gcc,
version 3.2 (in the subdir ns610-gcc32).

I see the following possibilities:

1. You can ignore this problem because the plugin from java2-jre was newer
configured.
2. You can ask Wolfgang to update the add-plugins.sh to by able to configure
the new java2-jre plugin. But it would be a problem because it means that both
packages (mozilla and java2-jre) must be updated.
3. You can create a hack in %post script of the package java2-jre, so it will
create the link itself. Note that it should not replace any existing and
working link.

You can use somethink like this (untested!!!):
%post jre
if [ ! -f /opt/mozilla/plugins/libjavaplugin_oji.so ]; then
  rm -f /opt/mozilla/plugins/libjavaplugin_oji.so  # this will remove a
potential invalid symlink which does not point to any file
  ln -sf
/usr/lib/SunJava2-1.4.2/jre/plugin/i386/ns610-gcc32/libjavaplugin_oji.so
/opt/mozilla/plugins/libjavaplugin_oji.so
fi


Regarding java2-jre and 8.1/SLES8:
----------------------------------
You didn't told me that the plugin does not work. You told me that there
is the file /opt/mozilla/lib/plugins/libjavaplugin_oji.so which doesn't belong
to any package.

You found that it was created by a %post scipt from a newer mozilla package
which is accessible via YOU.

We decided that you can remove or rename the file the %post script of the new
java2-jre package.

Is there any new problem?


Regarding BlackdownJava2-JRE and 8.2, SLEC:
-------------------------------------------
Hmm, there is the bug in the mozilla package as described in #48701.
I see the following possibilities:

1. You can ask Wolfgang to fix the mozilla package. It would be a problem because it
means that both packages (mozilla and java2-jre) must be updated.
2. You can create a hack in %post script of the BlackdownJava2-JRE which will
remove the obsolete link (for the older version of the package) and create the
new one.

You can use something like this (untested!!!):
%post -n BlackdownJava2-JRE
if [ -L /opt/mozilla/plugins/libjavaplugin_oji.so -a "`linkto
/opt/mozilla/plugins/libjavaplugin_oji.so`" =
"/usr/lib/BlackdownJava2-1.4.1/jre/plugin/i386/mozilla/javaplugin_oji.so" ]; then
  rm -f /opt/mozilla/plugins/libjavaplugin_oji.so
fi
if [ ! -f /opt/mozilla/plugins/libjavaplugin_oji.so ]; then
  rm -f /opt/mozilla/plugins/libjavaplugin_oji.so  # this will remove a
potential invalid symlink which does not point to any file
  ln -sf
/usr/lib/BlackdownJava2-1.4.2/jre/plugin/i386/mozilla/libjavaplugin_oji.so
/opt/mozilla/plugins/libjavaplugin_oji.so
fi

Note that you really must create the new symlink in the %post script. It is
because, the add-plugins.sh script is started after this %post script and it
would add the symlink for the old version of the package again. If you create a
new good link  then the add-plugins.sh script will leave it as is.

-------------------------------------------------

IMHO, I would add add the %post scripts in all cases. So, it could work after
the update.

I do not know if there is a new problem in the second case (java2-jre and
8.1/SLES8). Is it?

Petr, 
 
I have tried the changes to %post you suggested above but they did not work. 
I'd be happy to be proven wrong, please give it a try. 

Well, are there any machines where I could test it on SLEC and SLES8.

Well, the scripts did not pass the build checks. It was needed to add a check
for existence of the /opt/mozilla/plugins directory which is not avilable when
the java packages are build and need not be installed even on the users machine.

I have started with your packages which I taken from:
chomsky:/local/packages/8.2-i386/BlackdownJava2-JRE
chomsky:/local/packages/8.2-i386/java2
and added, fixed the %post install scripts.

You can find the updated packages for SLD at ~pmladek/Export/java/SLD-1/
There are binaty packages and also the sources.

It should solve the remaining problem on SLEC.

I will look at the package for SLES8 on Monday.

The problem with SLES8 is that it is complied using gcc-3.x and Sun Java JRE,
version 1.3.x does not provide a pluggin compiled with such gcc version. The
pluggin compiled with gcc-2.9x is not usable. Mozilla prints the following error
message if it is used:
LoadPlugin: failed to initialize shared library
/opt/mozilla/lib/plugins/libjavaplugin_oji.so
[/opt/mozilla/lib/plugins/libjavaplugin_oji.so: undefined symbol:
__vt_17nsGetServiceByCID]
LoadPlugin: failed to initialize shared library
/opt/mozilla/lib/plugins/libjavaplugin_oji.so
[/opt/mozilla/lib/plugins/libjavaplugin_oji.so: undefined symbol:
__vt_17nsGetServiceByCID]

This error messages (listing the symbol __vt_17nsGetServiceByCID) are typical
for the gcc related roblem, see the bug 32461 for example.

Well, the pluggin never worked and it won't work. The only possibility would be
to update to JDK, 1.4.x. or to Blackdown java.

There is only one problem, that the old vulnerable plugin was copied to
/opt/mozilla/lib/plugins. We should replace it if it really comes
from the older version of the package. We should not delete it because the user
would use a self compiled mozilla using gcc-2.95.

I have prepared the respective script:
%pre jre
# replace the older vulnerable mozilla plugin with a link to the new one
# after an update
if [ $1 -gt 1 -a -f /opt/mozilla/lib/plugins/libjavaplugin_oji.so ] &&
     diff /opt/mozilla/lib/plugins/libjavaplugin_oji.so \
          /usr/lib/SunJava2/jre/plugin/i386/ns600/libjavaplugin_oji.so >/dev/nul
l 2>&1 ; then
  rm -f /opt/mozilla/lib/plugins/libjavaplugin_oji.so
  ln -sf /usr/lib/SunJava2/jre/plugin/i386/ns600/libjavaplugin_oji.so \
         /opt/mozilla/lib/plugins/libjavaplugin_oji.so
fi

I have added this script to the package found at:
/local/packages/8.1-i386/java2
You can found the updated version at:
~pmladek/Export/java/SLES8/java2

the 9.0 , 9.1, 9.2 and sles9 packages are already ok, so i submitted 
patchinfos for those (based on the ones below). 
 
swampid: 99 

Sonja, did you test Petrs packages? 

I've submitted Petr's version for SLES8 / 8.1-i386 (thanks!). Please note that 
the testcase still will and must fail in QA due to the wrong-gcc-problem Petr 
mentioned above. 

to Comment #18: I tested the package built from 
~pmladek/Export/SLD-1/BlackdownJava-JRE/ on 8.2-i386, but the problem with the 
disappearing link to the plugin (it is deleted by a mozilla %triggerun script, 
see Comment #14 or bug 63701), so I guess we have to wait for the mozilla 
update or just document the bug and get the security update out as it is now. 

Should have read: "...the problem with the disappearing link [...] is still 
there, so I guess...". Sorry. 

Submitted the latest (pmladek's) version of BlackdownJava2-JRE to SLEC and 
8.2-i386. 

updates released. 

CVE-2004-1029: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)