portaudit prevents installation of linux-sun-jdk16 (and java browser plugins)

Juergen Lock nox at jelal.kn-bremen.de
Thu May 6 18:51:15 UTC 2010 

In article <20100503130401.GA54358 at server-king.de> you write:
>I've sent the following email to java at freebsd.org & secteam at FreeBSD.org
>one month ago, but I got no answer.
>
>The same problem still exists with linux-sun-jdk-1.6.0.20.
>
>Date: Mon, 29 Mar 2010 00:48:36 +0200
>To: java at freebsd.org, secteam at FreeBSD.org
>Subject: portaudit prevents installation of linux-sun-jdk16
>
>Hi java at freebsd.org & secteam at FreeBSD.org,
>
>I think this is both a java and a portaudit issue.
>
>I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6:
>
>http://www.java.com/en/download/faq/firefox_newplugin.xml
>
Does that actually work for you in Linux ff?  Here I just get either
the applet replaced with a grey box or a hung ff depending on which
version of Linux ff I try...  (I tried 3.5.8 and 3.5.9 i.e. the
www/linux-firefox-devel port as well as several ff 3.6 and 3.7 Linux
builds off mozilla.org simply run from the extracted dir; It does work
in linux-opera as well as in both the kde3 and the kde4 versions of
konqueror so I guess its not the Linuxolator's fault alone...)
If you want to see for yourself the new plugin is in

	/usr/local/linux-sun-jdk1.6.0/jre/lib/i386/libnpjp2.so

- symlink that into ~/.mozilla/plugins and then go to e.g.

	http://www.java.com/en/download/help/testvm.xml

with Linux ff.  And the old plugin in

	/usr/local/linux-sun-jdk1.6.0/jre/plugin/i386/ns7/libjavaplugin_oji.so

hangs Linux ff 3.5.9 too - and obviously doesn't work in ff >= 3.6.
Oh and the old native plugin,

	/usr/local/diablo-jdk1.6.0/jre/plugin/amd64/ns7/libjavaplugin_oji.so

does work in native ff 3.5, just not in 3.6 of course because of the
api change.

>So had a look at the versions of /usr/ports/java/*jdk16* on my
>FreeBSD machine.
>
>linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that
>meets the requirements. But if I try to make it, portaudit prevents
>the build:
>
>===>  linux-sun-jdk-1.6.0.18 has known vulnerabilities:
>=> jdk -- jar directory traversal vulnerability.
>   Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a
>.html>
>
>But if I have a look at the reference URL, 1.6 does not seem to be
>affected. I did a portaudit -F in order to make sure my database
>is up to date.
>
>So is this a false positive that should get fixed?
>
>There was a PR on this in 2007:
>
>http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat=
>
>The reason for this PR to get closed was it was reproducable with
>linux-sun-jdk-1.6.0.02.
>
>http://freebsd.monkey.org/freebsd-java/200708/msg00101.html
>
>My open questions:
>
>1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have
>a bad.jar, but I'm willing to test.
>
 Turns out it actually still is (wtf!!), also linux-sun-jdk-1.6.0.20 which
I just updated to if I do the test mentioned in:

	http://www.securiteam.com/securitynews/5IP0C0AFGW.html

[...]
zsh triton8% rm /tmp/test
zsh triton8% /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar
[...]
 inflated: ../../../../tmp/test
zsh: killed     /usr/local/linux-sun-jdk1.6.0/bin/jar xvf trash.jar
zsh triton8% echo $?
137
zsh triton8% ls -l /tmp/test
-rw-r--r--  1 nox  wheel  3 May  6 18:32 /tmp/test
zsh triton8%

 (and the SIGKILL is strange too.)

>2. Shouldn't
>http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get
>updated in order to make clear at least linux-sun-jdk-1.6.0.02 was
>vulnerable?
>
>3. Why does portaudit think it's vulnerable even if the auditfile
>does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18?
>
>$ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile
>jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability
>linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability

 ..and this is because linux-sun-jdk15 has had its PORTEPOCH bumped
twice (the ,2), while linux-sun-jdk16 has no PORTEPOCH yet, so
1.6.0.18 is considered smaller than 1.5.2.02,2.  (And once there actually
_is_ a linux-sun-jdk16 version where this bug is fixed I guess we'd have
to do seperate ranges like:

	<range><ge>1.5.*</ge><le>1.6.42</le></range>
	<range><ge>1.5.*,1</ge><le>1.5.2.02,1</le></range>
	<range><ge>1.5.*,2</ge><le>1.5.2.02,2</le></range>

)

 HTH,
	Juergen

More information about the freebsd-ports mailing list