74219 – (CVE-2005-0836) VUL-0: CVE-2005-0836: Java Web Start JNLP File Command Line Argument Injection Vulnerability

Bug 74219 (CVE-2005-0836) - VUL-0: CVE-2005-0836: Java Web Start JNLP File Command Line Argument Injection Vulnerability

Summary: VUL-0: CVE-2005-0836: Java Web Start JNLP File Command Line Argument Injectio...

Status:	VERIFIED FIXED

Alias:	CVE-2005-0836

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All All

Priority:	P5 - None Severity: Critical
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-03-22 09:48 UTC by Masaji Takeyama
Modified:	2021-11-04 16:03 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Masaji Takeyama 2005-03-22 09:48:15 UTC

The J2SE 1.4.2_07 was released.
# The vulnerability affects Java Web Start included in J2SE releases
# 1.4.2 through 1.4.2_06 for Windows, Solaris and Linux.

Range of influence:
Sun Java JRE 1.4.x, Sun Java SDK 1.4.x,(Java Web Start 1.x)

Please see the following about details.
http://secunia.com/advisories/14640/
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57740-1

Comment 1 Sonja Krause-Harder 2005-03-22 10:16:49 UTC

Please also have a look at bug #63780 - java webstart doesn't work at all due  
to glibc incompatibilities which we can't fix as we only redistribute prebuilt  
binaries.  
  
I'll prepare updated packages anyway. Reassigning to security team for  
tracking.  
  
(Andreas, any chance to get a new java-1_4_2-sun into 9.3?)

Comment 2 Sonja Krause-Harder 2005-03-22 11:03:17 UTC

More detail. javaws only works with a glibc <= 2.3.2 (according to 
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6188963) and is vulnerable 
in all 1.4.2 versions <= 1.4.2_06. If I'm not mistaken, this leaves the 8.2 
and 9.0 codebases where we need an update.

Comment 3 Marcus Meissner 2005-03-22 12:18:45 UTC

please provide updates only for the codebases which are working. (as 
discussed)

Comment 4 Masaji Takeyama 2005-03-23 05:01:49 UTC

Please teach concretely. 

Are SUSE 9.0 and SUSE 8.2 discussed?
#(javaws only works with a glibc <= 2.3.2)

Or, Are SUSE 9.2, 9.1, 9.0, and 8.2 discussed?

It already seems to have prepared SUSE 9.3. 

Update pakeages(It has been released before.):
  ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/
  java2-1.4.2-140.i586.rpm

  ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/
  java2-1.4.2-137.i586.rpm

  ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/
  java2-1.4.2-129.10.i586.rpm

  ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/
  java-1_4_2-sun-1.4.2.06-1.1.i586.rpm


P.S.
I tested javaws in SUSE 9.1. 
The javaws works with a glibc-2.3.3 in SUSE 9.1.
( I think that SUSE 9.1 becomes the object of Update. )

#####(Test environment of SUSE 9.1)#####
glibc-2.3.3-98
(xorg-x11-libs-6.8.1-14.1)

java2-1.4.2-129.10
java2-jre-1.4.2-129.10

# java -version
java version "1.4.2_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_06-b03)
Java HotSpot(TM) Client VM (build 1.4.2_06-b03, mixed mode)
#######################

Comment 5 Thomas Biege 2005-05-24 15:07:50 UTC

Sonja will do updates.

Comment 6 Jason Record 2005-06-15 21:48:37 UTC

Do we have a fix for this?

Comment 7 Marcus Meissner 2005-06-16 07:57:49 UTC

sonja? why has this been left lying around?

Comment 8 Thomas Biege 2005-06-17 07:42:13 UTC

CAN-2005-0836
SM-Tracker-1576

Comment 9 Sonja Krause-Harder 2005-06-17 10:56:56 UTC

Packages submitted.

Comment 10 Marcus Meissner 2005-06-22 12:12:30 UTC

updates and advisory released