Bug 46695 – openjdk-8: Multiple issues (4.3)

Bug 46695 - openjdk-8: Multiple issues (4.3)


Summary:	openjdk-8: Multiple issues (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.3
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.3-0-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-03-19 13:36 CET by Philipp Hahn
Modified:	2018-05-16 17:04 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-03-19 13:36:16 CET

New Debian openjdk-8 8u162-b12-1~deb9u1 fixes:
This update addresses the following issues:
* CVE-2016-10165: Improve CMS header processing. Missing bounds check could
lead to leaked memory contents.
* CVE-2016-9841: Upgrade compression library. There were four off by one
errors found in the zlib library. Two of them are long typed which could
lead to RCE.
* CVE-2017-10274: Handle smartcard clean up better. If a CardImpl can be
recovered via finalization, then separate instances pointing to the same
device can be created.
* CVE-2017-10281: Better queuing priorities. PriorityQueue's readObject
allocates an array based on data in the stream which could cause an OOM.
* CVE-2017-10285: Unreferenced references. RMI's Unreferenced thread can be
used as the root of a Trusted Method Chain.
* CVE-2017-10295: Better URL connections. On Ubuntu (and possibly other Linux
flavors) CR-NL in the host field are ignored and can be used to inject
headers in an HTTP request stream.
* CVE-2017-10345: Better keystore handling. A malicious serialized object in
a keystore can cause a DoS when using keytool.
* CVE-2017-10346: Better alignment of special invocations. A missing load
constraint for some invokespecial cases can allow invoking a method from an
unrelated class.
* CVE-2017-10347: Better timezone processing. An array is allocated based on
data in the serial stream without a limit on the size.
* CVE-2017-10348: Better processing of unresolved permissions. An array is
allocated based on data in the serial stream without a limit on the size.
* CVE-2017-10349: Better Node predications. An array is allocated based on
data in the serial stream without a limit on the size.
* CVE-2017-10350: Better Base Exceptions. An array is allocated based on data
in the serial stream without a limit on the size.
* CVE-2017-10355: More stable connection processing. If an attack can cause
an application to open a connection to a malicious FTP server (e.g., via
XML), then a thread can be tied up indefinitely in accept(2).
* CVE-2017-10356: Update storage implementations. JKS and JCEKS keystores
should be retired from common use in favor of more modern keystore
protections.
* CVE-2017-10357: Process Proxy presentation. A malicious serialized stream
could cause an OOM due to lack on checking on the number of interfaces read
from the stream for a Proxy.
* CVE-2017-10388: Correct Kerberos ticket grants. Kerberos implementations
can incorrectly take information from the unencrypted portion of the ticket
from the KDC. This can lead to an MITM attack impersonating Kerberos
services.
* CVE-2018-2579: unsynchronized access to encryption key data
* CVE-2018-2582: insufficient validation of the invokeinterface instruction
* CVE-2018-2588: LdapLoginModule insufficient username encoding in LDAP query
* CVE-2018-2599: DnsClient missing source port randomization
* CVE-2018-2602: loading of classes from untrusted locations
* CVE-2018-2603: DerValue unbounded memory allocation
* CVE-2018-2618: insufficient strength of key agreement
* CVE-2018-2629: GSS context use-after-free
* CVE-2018-2633: LDAPCertStore insecure handling of LDAP referrals
* CVE-2018-2634: use of global credentials for HTTP/SPNEGO
* CVE-2018-2637: SingleEntryRegistry incorrect setup of deserialization
filter
* CVE-2018-2641: GTK library loading use-after-free
* CVE-2018-2663: ArrayBlockingQueue deserialization to an inconsistent state
* CVE-2018-2677: unbounded memory allocation during deserialization
* CVE-2018-2678: unbounded memory allocation in BasicAttributes
deserialization

CVE-2018-2633 OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606)
CVE-2018-2634 OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600)
CVE-2018-2603 OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387)
CVE-2018-2629 OpenJDK: GSS context use-after-free (JGSS, 8186212)
CVE-2018-2579 OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525)
CVE-2018-2641 OpenJDK: GTK library loading use-after-free (AWT, 8185325)
CVE-2018-2618 OpenJDK: insufficient strength of key agreement (JCE, 8185292)
CVE-2018-2602 OpenJDK: loading of classes from untrusted locations (I18n, 8182601)
CVE-2018-2637 OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998)
CVE-2018-2599 OpenJDK: DnsClient missing source port randomization (JNDI, 8182125)
CVE-2018-2677 OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289)
CVE-2018-2678 OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142)
CVE-2018-2663 OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284)
CVE-2018-2582 OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962)
CVE-2018-2588 OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449)
CVE-2017-10274 OpenJDK: CardImpl incorrect state handling (Smart Card IO, 8169026)
CVE-2017-10281 OpenJDK: multiple unbounded memory allocations in deserialization (Serialization, 8174109)
CVE-2017-10285 OpenJDK: incorrect privilege use when handling unreferenced objects (RMI, 8174966)
CVE-2017-10295 OpenJDK: HTTP client insufficient check for newline in URLs (Networking, 8176751)
CVE-2017-10388 OpenJDK: use of unprotected sname in Kerberos client (Libraries, 8178794)
CVE-2017-10346 OpenJDK: insufficient loader constraints checks for invokespecial (Hotspot, 8180711)
CVE-2017-10350 OpenJDK: unbounded memory allocation in JAXWSExceptionBase deserialization (JAX-WS, 8181100)
CVE-2017-10347 OpenJDK: unbounded memory allocation in SimpleTimeZone deserialization (Serialization, 8181323)
CVE-2017-10349 OpenJDK: unbounded memory allocation in PredicatedNodeTest deserialization (JAXP, 8181327)
CVE-2017-10345 OpenJDK: unbounded resource use in JceKeyStore deserialization (Serialization, 8181370)
CVE-2017-10348 OpenJDK: multiple unbounded memory allocations in deserialization (Libraries, 8181432)
CVE-2017-10357 OpenJDK: unbounded memory allocation in ObjectInputStream deserialization (Serialization, 8181597)
CVE-2017-10355 OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)
CVE-2017-10356 OpenJDK: weak protection of key stores against brute forcing (Security, 8181692)
CVE-2016-10165 lcms2: Out-of-bounds read in Type_MLU_Read()
CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c

Comment 1 Philipp Hahn

2018-03-19 13:37:23 CET

[4.3-0] 4788ab0212 Bug #46695: openjdk-8_8u162-b12-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)

Copied from Debian

Comment 2 Quality Assurance

2018-05-04 16:43:56 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/openjdk-8_8u151-b12-1~deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/openjdk-8_8u162-b12-1~deb9u1.dsc
@@ -1,6 +1,57 @@
-8u151-b12-1~deb9u1 [Wed, 01 Nov 2017 14:17:57 +0000] Moritz Muehlenhoff <jmm@debian.org>:
+8u162-b12-1~deb9u1 [Fri, 16 Mar 2018 00:05:30 +0100] Moritz Mühlenhoff <jmm@debian.org>:
 
   * Rebuild for stretch-security
+
+8u162-b12-1 [Thu, 15 Mar 2018 18:19:50 +0100] Matthias Klose <doko@ubuntu.com>:
+
+  [ Tiago Stürmer Daitx ]
+  * Update to 8u162-b12. Hotspot 8u162-b12 for aarch32 and 8u161-b16
+    for aarch64 (wth 8u162-b12 patches).
+  * Security updates:
+    - CVE-2018-2633,S8186606: Improve LDAP lookup robustness.
+    - CVE-2018-2637,S8186998: Improve JMX supportive features.
+    - CVE-2018-2634,S8186600: Improve property negotiations.
+    - CVE-2018-2582,S8174962: Better interface invocations.
+    - CVE-2018-2641,S8185325: Improve GTK initialization.
+    - CVE-2018-2618,S8185292: Stricter key generation.
+    - CVE-2018-2629,S8186212: Improve GSS handling.
+    - CVE-2018-2603,S8182387: Improve PKCS usage.
+    - CVE-2018-2599,S8182125: Improve reliability of DNS lookups.
+    - CVE-2018-2602,S8182601: Improve usage messages.
+    - CVE-2018-2588,S8178449: Improve LDAP logins.
+    - CVE-2018-2678,S8191142: More refactoring for naming deserialization
+      cases.
+    - CVE-2018-2677,S8190289: More refactoring for client deserialization
+      cases.
+    - CVE-2018-2663,S8189284: More refactoring for deserialization cases.
+    - CVE-2018-2579,S8172525: Improve key keying case.
+  * d/p/aarch64-hotspot-8u162-b12.patch: update aarch64 hotspot to 8u162-b12.
+  * d/p/icedtea-4953367.patch: removed, fixed upstream by "S8136570: Stop
+    changing user environment variables related to /usr/dt".
+  * d/p/gcc6.diff: removed, fixed upstream.
+  * d/p/jdk-getAccessibleValue.diff: updated, removed chunks fixed upstream
+    by "S8076249: NPE in AccessBridge while editing JList model" and
+    "S8145207: [macosx] JList, VO can't access non-visible list items".
+  * d/p/openjdk-ppc64el-S8170153.patch, d/p/8164293.diff,
+    d/p/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch,
+    d/p/hotspot-ppc64el-S8168318-cmpldi.patch,
+    d/p/hotspot-ppc64el-S8170328-andis.patch,
+    d/p/hotspot-ppc64el-S8175813-mbind-invalid-argument.patch,
+    d/p/hotspot-ppc64el-S8181055-use-numa-v2-api.patch,
+    d/p/hotspot-ppc64el-S8181810-leverage-extrdi.patch: removed,
+    applied upstream.
+  * d/rules, d/control: depend on GKT3 instead of GTK2 for newer releases.
+    LP: #1735482.
+  * d/rules: wait 10 seconds before issuing SIGKILL to buildwatch.
+  * d/buildwatch.sh: find hs_err files and cat them to help debugging build
+    failures.
+  * S8173853: IllegalArgumentException in java.awt.image.ReplicateScaleFilter.
+    LP: #8173853.
+
+  [ Matthias Klose ]
+  * Disable Hotspot workaround for Exec Shield (Debian only).
+    Closes: #876051.
+  * Fix some lintian warnings.
 
 8u151-b12-1 [Wed, 01 Nov 2017 07:12:56 +0100] Matthias Klose <doko@ubuntu.com>:
 
@@ -28,17 +79,17 @@
       missing load constraint for some invokespecial cases can allow invoking
       a method from an unrelated class.
     - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
-      based on data in the serial stream without a limit onthe size.
+      based on data in the serial stream without a limit on the size.
     - CVE-2017-10347, S8181323: Better timezone processing. An array is
       allocated based on data in the serial stream without a limit on the
       size.
     - CVE-2017-10349, S8181327: Better Node predications. An array is
-      allocated based on data in the serial stream without a limit onthe size.
+      allocated based on data in the serial stream without a limit on the size.
     - CVE-2017-10345, S8181370: Better keystore handling. A malicious
       serialized object in a keystore can cause a DoS when using keytool.
     - CVE-2017-10348, S8181432: Better processing of unresolved permissions.
       An array is allocated based on data in the serial stream without a limit
-      onthe size.
+      on the size.
     - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
       serialized stream could cause an OOM due to lack on checking on the
       number of interfaces read from the stream for a Proxy.

Comment 3 Philipp Hahn

2018-05-04 17:14:39 CEST

[4.3-0] 7259dad414 Bug #46695: openjdk-8 8u171-b11-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 29 ++++++++++++++++++++++++++++-

Comment 4 Quality Assurance

2018-05-04 17:20:44 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/openjdk-8_8u151-b12-1~deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/openjdk-8_8u171-b11-1~deb9u1.dsc
@@ -1,6 +1,91 @@
-8u151-b12-1~deb9u1 [Wed, 01 Nov 2017 14:17:57 +0000] Moritz Muehlenhoff <jmm@debian.org>:
+8u171-b11-1~deb9u1 [Fri, 27 Apr 2018 14:37:13 +0000] Moritz Muehlenhoff <jmm@debian.org>:
 
   * Rebuild for stretch-security
+
+8u171-b11-1 [Fri, 27 Apr 2018 08:56:10 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  [ Tiago Stürmer Daitx ]
+  * Update to 8u171-b11. Hotspot 8u162-b12 for aarch32 with 8u171-b10 hotspot
+    security fixes and 8u171-b10 for aarch64.
+    - CVE-2018-2790,S8189969: Manifest better manifest entries.
+    - CVE-2018-2795,S8189977: Improve permission portability.
+    - CVE-2018-2796,S8189981: Improve queuing portability.
+    - CVE-2018-2797,S8189985: Improve tabular data portability.
+    - CVE-2018-2798,S8189989: Improve container portability.
+    - CVE-2018-2799,S8189993: Improve document portability.
+    - CVE-2018-2794,S8189997: Enhance keystore mechanisms.
+    - CVE-2018-2814,S8192025: Less referential references.
+    - CVE-2018-2815,S8192757: Improve stub classes implementation.
+    - CVE-2018-2800,S8193833: Better RMI connection support.
+    - S8169080: Improve documentation examples for crypto applications.
+    - S8180881: Better packaging of deserialization.
+    - S8182362: Update CipherOutputStream Usage.
+    - S8189123: More consistent classloading.
+    - S8190478: Improved interface method selection.
+    - S8190877: Better handling of abstract classes.
+    - S8191696: Better mouse positioning.
+    - S8192030: Better MTSchema support.
+    - S8193409: Improve AES supporting classes.
+    - S8193414: Improvements in MethodType lookups.
+  * d/p/aarch64-hotspot-8u162-b12.patch: removed, tarball has been updated to
+    8u171-b10.
+  * d/p/hotspot-S8185723-zero-ppc32-atomic_copy64-fix.patch,
+    d/p/hotspot-S8201509-zero-s390x-atomic_copy64-fix.patch: fix ppc32, s390x
+    javac segmentation fault caused by wrong inline assembler.
+
+  [ Matthias Klose ]
+  * Bump standards version.
+
+8u162-b12-1 [Thu, 15 Mar 2018 18:19:50 +0100] Matthias Klose <doko@ubuntu.com>:
+
+  [ Tiago Stürmer Daitx ]
+  * Update to 8u162-b12. Hotspot 8u162-b12 for aarch32 and 8u161-b16
+    for aarch64 (wth 8u162-b12 patches).
+  * Security updates:
+    - CVE-2018-2633,S8186606: Improve LDAP lookup robustness.
+    - CVE-2018-2637,S8186998: Improve JMX supportive features.
+    - CVE-2018-2634,S8186600: Improve property negotiations.
+    - CVE-2018-2582,S8174962: Better interface invocations.
+    - CVE-2018-2641,S8185325: Improve GTK initialization.
+    - CVE-2018-2618,S8185292: Stricter key generation.
+    - CVE-2018-2629,S8186212: Improve GSS handling.
+    - CVE-2018-2603,S8182387: Improve PKCS usage.
+    - CVE-2018-2599,S8182125: Improve reliability of DNS lookups.
+    - CVE-2018-2602,S8182601: Improve usage messages.
+    - CVE-2018-2588,S8178449: Improve LDAP logins.
+    - CVE-2018-2678,S8191142: More refactoring for naming deserialization
+      cases.
+    - CVE-2018-2677,S8190289: More refactoring for client deserialization
+      cases.
+    - CVE-2018-2663,S8189284: More refactoring for deserialization cases.
+    - CVE-2018-2579,S8172525: Improve key keying case.
+  * d/p/aarch64-hotspot-8u162-b12.patch: update aarch64 hotspot to 8u162-b12.
+  * d/p/icedtea-4953367.patch: removed, fixed upstream by "S8136570: Stop
+    changing user environment variables related to /usr/dt".
+  * d/p/gcc6.diff: removed, fixed upstream.
+  * d/p/jdk-getAccessibleValue.diff: updated, removed chunks fixed upstream
+    by "S8076249: NPE in AccessBridge while editing JList model" and
+    "S8145207: [macosx] JList, VO can't access non-visible list items".
+  * d/p/openjdk-ppc64el-S8170153.patch, d/p/8164293.diff,
+    d/p/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch,
+    d/p/hotspot-ppc64el-S8168318-cmpldi.patch,
+    d/p/hotspot-ppc64el-S8170328-andis.patch,
+    d/p/hotspot-ppc64el-S8175813-mbind-invalid-argument.patch,
+    d/p/hotspot-ppc64el-S8181055-use-numa-v2-api.patch,
+    d/p/hotspot-ppc64el-S8181810-leverage-extrdi.patch: removed,
+    applied upstream.
+  * d/rules, d/control: depend on GKT3 instead of GTK2 for newer releases.
+    LP: #1735482.
+  * d/rules: wait 10 seconds before issuing SIGKILL to buildwatch.
+  * d/buildwatch.sh: find hs_err files and cat them to help debugging build
+    failures.
+  * S8173853: IllegalArgumentException in java.awt.image.ReplicateScaleFilter.
+    LP: #8173853.
+
+  [ Matthias Klose ]
+  * Disable Hotspot workaround for Exec Shield (Debian only).
+    Closes: #876051.
+  * Fix some lintian warnings.
 
 8u151-b12-1 [Wed, 01 Nov 2017 07:12:56 +0100] Matthias Klose <doko@ubuntu.com>:
 
@@ -28,17 +113,17 @@
       missing load constraint for some invokespecial cases can allow invoking
       a method from an unrelated class.
     - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
-      based on data in the serial stream without a limit onthe size.
+      based on data in the serial stream without a limit on the size.
     - CVE-2017-10347, S8181323: Better timezone processing. An array is
       allocated based on data in the serial stream without a limit on the
       size.
     - CVE-2017-10349, S8181327: Better Node predications. An array is
-      allocated based on data in the serial stream without a limit onthe size.
+      allocated based on data in the serial stream without a limit on the size.
     - CVE-2017-10345, S8181370: Better keystore handling. A malicious
       serialized object in a keystore can cause a DoS when using keytool.
     - CVE-2017-10348, S8181432: Better processing of unresolved permissions.
       An array is allocated based on data in the serial stream without a limit
-      onthe size.
+      on the size.
     - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
       serialized stream could cause an OOM due to lack on checking on the
       number of interfaces read from the stream for a Proxy.

Comment 5 Arvid Requate

2018-05-15 10:53:57 CEST

* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory adjusted:
  f6fb3894a8 | sort CVEs

Comment 6 Arvid Requate

2018-05-16 17:04:16 CEST

<http://errata.software-univention.de/ucs/4.3/62.html>