itweb-settings in icedtea-netx actually depends on openjdk-6

Bug #1078424 reported by Alexander Bürger on 2012-11-13
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
icedtea-web (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

Package: icedtea-netx

Version: 1.2-2ubuntu1.3

Depends: … openjdk-6-jre (>= 6b23~pre10~) | openjdk-7-jre …

so it is either openjdk-6 or -7, but /usr/bin/itweb-settings looks like:
========================================
#!/bin/sh
JAVA=/usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java

========================================

Replacing this with
========================================
#!/bin/sh
for V in 6 7; do
  J=/usr/lib/jvm/java-$V-openjdk-amd64/jre/bin/java
  if test -x $J; then
    JAVA=$J
    break
  fi
done
test -n "$JAVA" || exit 1

========================================
makes the control panel compatible with both major openjdk versions, as specified in Depends.

CVE References

Alexander Bürger (acfb) wrote :

added patch to fix itweb-settings as described above

The attachment "patch for itweb-settings" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Matthias Klose (doko) on 2013-02-08
Changed in icedtea-web (Ubuntu Precise):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package icedtea-web - 1.2.3-0ubuntu0.12.04.1

---------------
icedtea-web (1.2.3-0ubuntu0.12.04.1) precise-security; urgency=low

  * IcedTea-Web 1.2.3 release.
  * Security Updates:
    - CVE-2013-1927: fixed gifar vulnerability.
    - CVE-2013-1926: Class-loader incorrectly shared for applets with same
      relative-path.
  * Common:
    - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7.
  * NetX:
    - PR580: http://www.horaoficial.cl/ loads improperly.
  * Plugin:
    - PR1157: Applets can hang browser after fatal exception.

icedtea-web (1.2.2-0ubuntu1) precise-proposed; urgency=low

  * Update to the 1.2.2 bug fix release. LP: #1131479.
    - Includes security fixes uploaded earlier.
    - Bug fixes:
      - PR1106: Buffer overflow in plugin table.
      - PR898: signed applications with big jnlp-file doesn't start (webstart
        affect like "frozen").
      - PR811: javaws is not handling urls with spaces (and other characters
        needing encoding) correctly.
      - S816592: icedtea-web not loading GeoGebra java applets in Firefox
        or Chrome.
      - PR863: Error passing strings to applet methods in Chromium.
      - PR895: IcedTea-Web searches for missing classes on each loadClass
        or findClass.
      - PR518: NPString.utf8characters not guaranteed to be nul-terminated.
      - Disambiguate signed applet security prompt from certificate warning.
  * Search both OpenJDK-6 and OpenJDK-7 when starting itweb-settings.
    LP: #1078424.
 -- Matthias Klose <email address hidden> Wed, 17 Apr 2013 01:06:18 +0200

Changed in icedtea-web (Ubuntu Precise):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package icedtea-web - 1.2.3-0ubuntu0.10.04.1

---------------
icedtea-web (1.2.3-0ubuntu0.10.04.1) lucid-security; urgency=low

  [ Matthias Klose ]
  * IcedTea-Web 1.2.3 release.
  * Security Updates:
    - CVE-2013-1927: fixed gifar vulnerability.
    - CVE-2013-1926: Class-loader incorrectly shared for applets with same
      relative-path.
  * Common:
    - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7.
  * NetX:
    - PR580: http://www.horaoficial.cl/ loads improperly.
  * Plugin:
    - PR1157: Applets can hang browser after fatal exception.

  [ Jamie Strandboge ]
  * debian/rules: generate icedtea-plugin meta package
  * debian/control.in: update icedtea-netx replace/conflicts to avoid
    javaws conflict with openjdk-6-jre
  * debian/icedtea-netx.postinst.in: skip update-alternatives on
    openjdk-7 binaries if they don't exist
  * Regenerate the control file.

icedtea-web (1.2.2-0ubuntu1) precise-proposed; urgency=low

  * Update to the 1.2.2 bug fix release. LP: #1131479.
    - Includes security fixes uploaded earlier.
    - Bug fixes:
      - PR1106: Buffer overflow in plugin table.
      - PR898: signed applications with big jnlp-file doesn't start (webstart
        affect like "frozen").
      - PR811: javaws is not handling urls with spaces (and other characters
        needing encoding) correctly.
      - S816592: icedtea-web not loading GeoGebra java applets in Firefox
        or Chrome.
      - PR863: Error passing strings to applet methods in Chromium.
      - PR895: IcedTea-Web searches for missing classes on each loadClass
        or findClass.
      - PR518: NPString.utf8characters not guaranteed to be nul-terminated.
      - Disambiguate signed applet security prompt from certificate warning.
  * Search both OpenJDK-6 and OpenJDK-7 when starting itweb-settings.
    LP: #1078424.

icedtea-web (1.2-2ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: Fix denial of service in exception handling
    - debian/patches/icedtea-web-CVE-2012-4540.patch: adjust off by one in
      exception string storage in IcedTeaScriptablePluginObject.cc. Also fix
      two memory leaks.
    - CVE-2012-4540
 -- Jamie Strandboge <email address hidden> Wed, 17 Apr 2013 17:57:13 -0500

Changed in icedtea-web (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers