portaudit prevents installation of linux-sun-jdk16

Frank Bartels freebsd at knarf.de
Mon May 3 13:20:52 UTC 2010


I've sent the following email to java at freebsd.org & secteam at FreeBSD.org
one month ago, but I got no answer.

The same problem still exists with linux-sun-jdk-1.6.0.20.

Date: Mon, 29 Mar 2010 00:48:36 +0200
To: java at freebsd.org, secteam at FreeBSD.org
Subject: portaudit prevents installation of linux-sun-jdk16

Hi java at freebsd.org & secteam at FreeBSD.org,

I think this is both a java and a portaudit issue.

I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6:

http://www.java.com/en/download/faq/firefox_newplugin.xml

So had a look at the versions of /usr/ports/java/*jdk16* on my
FreeBSD machine.

linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that
meets the requirements. But if I try to make it, portaudit prevents
the build:

===>  linux-sun-jdk-1.6.0.18 has known vulnerabilities:
=> jdk -- jar directory traversal vulnerability.
   Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a
.html>

But if I have a look at the reference URL, 1.6 does not seem to be
affected. I did a portaudit -F in order to make sure my database
is up to date.

So is this a false positive that should get fixed?

There was a PR on this in 2007:

http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat=

The reason for this PR to get closed was it was reproducable with
linux-sun-jdk-1.6.0.02.

http://freebsd.monkey.org/freebsd-java/200708/msg00101.html

My open questions:

1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have
a bad.jar, but I'm willing to test.

2. Shouldn't
http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get
updated in order to make clear at least linux-sun-jdk-1.6.0.02 was
vulnerable?

3. Why does portaudit think it's vulnerable even if the auditfile
does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18?

$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile
jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk<=1.3.1.0_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
diablo-jdk-freebsd6<=i386.1.5.0.07.00|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability

Thanks for listening,
Knarf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4580 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20100503/d45bac04/smime.bin


More information about the freebsd-ports mailing list