portaudit prevents installation of linux-sun-jdk16 (and java browser plugins)

Juergen Lock nox at jelal.kn-bremen.de
Thu May 6 18:51:15 UTC 2010

In article <20100503130401.GA54358 at server-king.de> you write:
>I've sent the following email to java at freebsd.org & secteam at FreeBSD.org
>one month ago, but I got no answer.
>The same problem still exists with linux-sun-jdk-
>Date: Mon, 29 Mar 2010 00:48:36 +0200
>To: java at freebsd.org, secteam at FreeBSD.org
>Subject: portaudit prevents installation of linux-sun-jdk16
>Hi java at freebsd.org & secteam at FreeBSD.org,
>I think this is both a java and a portaudit issue.
>I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6:
Does that actually work for you in Linux ff?  Here I just get either
the applet replaced with a grey box or a hung ff depending on which
version of Linux ff I try...  (I tried 3.5.8 and 3.5.9 i.e. the
www/linux-firefox-devel port as well as several ff 3.6 and 3.7 Linux
builds off mozilla.org simply run from the extracted dir; It does work
in linux-opera as well as in both the kde3 and the kde4 versions of
konqueror so I guess its not the Linuxolator's fault alone...)
If you want to see for yourself the new plugin is in


- symlink that into ~/.mozilla/plugins and then go to e.g.


with Linux ff.  And the old plugin in


hangs Linux ff 3.5.9 too - and obviously doesn't work in ff >= 3.6.
Oh and the old native plugin,


does work in native ff 3.5, just not in 3.6 of course because of the
api change.

>So had a look at the versions of /usr/ports/java/*jdk16* on my
>FreeBSD machine.
>linux-sun-jdk- seems to be the only port in the tree that
>meets the requirements. But if I try to make it, portaudit prevents
>the build:
>===>  linux-sun-jdk- has known vulnerabilities:
>=> jdk -- jar directory traversal vulnerability.
>   Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a
>But if I have a look at the reference URL, 1.6 does not seem to be
>affected. I did a portaudit -F in order to make sure my database
>is up to date.
>So is this a false positive that should get fixed?
>There was a PR on this in 2007:
>The reason for this PR to get closed was it was reproducable with
>My open questions:
>1. Is linux-sun-jdk- still vulnerable? Sorry, I don't have
>a bad.jar, but I'm willing to test.
 Turns out it actually still is (wtf!!), also linux-sun-jdk- which
I just updated to if I do the test mentioned in:


zsh triton8% rm /tmp/test
zsh triton8% /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar
 inflated: ../../../../tmp/test
zsh: killed     /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar
zsh triton8% echo $?
zsh triton8% ls -l /tmp/test
-rw-r--r--  1 nox  wheel  3 May  6 18:32 /tmp/test
zsh triton8%

 (and the SIGKILL is strange too.)

>2. Shouldn't
>http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get
>updated in order to make clear at least linux-sun-jdk- was
>3. Why does portaudit think it's vulnerable even if the auditfile
>does not seem to contain a matching entry for linux-sun-jdk-
>$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile
>jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>linux-sun-jdk<=|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>linux-sun-jdk>=1.5.*<=,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability

 ..and this is because linux-sun-jdk15 has had its PORTEPOCH bumped
twice (the ,2), while linux-sun-jdk16 has no PORTEPOCH yet, so is considered smaller than,2.  (And once there actually
_is_ a linux-sun-jdk16 version where this bug is fixed I guess we'd have
to do seperate ranges like:




More information about the freebsd-java mailing list