Security Alert For CVE-2010-4476 Released

Bug #716689 reported by Benjamin on 2011-02-10
290
This bug affects 6 people
Affects Status Importance Assigned to Milestone
openjdk-6 (Ubuntu)
Medium
Unassigned
Hardy
Medium
Unassigned
Karmic
Medium
Steve Beattie
Lucid
Medium
Steve Beattie
Maverick
Medium
Steve Beattie
Natty
Medium
Unassigned
sun-java6 (Ubuntu)
Medium
Brian Thomason
Hardy
Medium
Brian Thomason
Karmic
Medium
Brian Thomason
Lucid
Medium
Brian Thomason
Maverick
Medium
Brian Thomason
Natty
Medium
Brian Thomason

CVE References

Benjamin (bercovitz) on 2011-02-10
visibility: private → public
description: updated
Changed in sun-java6 (Ubuntu):
status: New → Confirmed
assignee: nobody → Brian Thomason (brian-thomason)
Doki (lkishalmi) wrote :

The official Java 6 binaries update 24 are available from Oracle. Oracle claims that CVE-2010-4476 is fixed in it.
I guess it is time for Ubuntu to create packages from it ASAP.

http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html

Sylvestre Ledru (sylvestre) wrote :

Sorry for the bad assigned. I uploaded in Natty (I did that in Debian yesterday). I don't know if you want to upload in maverick or not ?!

Changed in sun-java6 (Ubuntu):
assignee: Brian Thomason (brian-thomason) → Sylvestre Ledru (sylvestre)
assignee: Sylvestre Ledru (sylvestre) → Brian Thomason (brian-thomason)
Doki (lkishalmi) wrote :

Well it is needed for Maverick and Lucid as well.
Affects Karmic, Hardy and even Dapper which are supported but not from partner repository.

CVE-2010-4476 is about a bug whereby inputting "2.2250738585072014e-308" or variations of it [1] to the java.lang.Double.parseDouble(String) method causes it to enter an infinite loop; control is not returned to the calling thread.

This bug can be used to cause remote unauthenticated denial of service on long-running servers by way of CPU time exhaustion and/or causing all threads of an application server's thread pool to enter infinite loops and becoming unable to service requests.

As Doki explained in comment #3, Ubuntu Lucid and Maverick are affected by the vulnerability caused by this bug. I also added Affects: openjdk-6, since the current version in Lucid (6b20-1.9.5-0ubuntu1~10.04.1) is affected.

Oracle has released a fix for this bug in the OpenJDK codebase [2].

[1] http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ (HTML)
[2] http://hg.openjdk.java.net/jdk7/tl/jdk/rev/82c8c54ac1d5 (patch)

tags: added: patch
Sylvestre Ledru (sylvestre) wrote :

Grrrrr, I am bored by the bloody permissions (I wished Ubuntu implemented dynamic "per package upload" for DD...)
"The signer of this package has no upload rights to this distribution's primary archive. Did you mean to upload to a PPA?"

Using sun-java6_6.24-1.dsc from:
http://ftp.de.debian.org/debian/pool/non-free/s/sun-java6/
will do it.

Micah Gersten (micahg) wrote :

@Sylvestre Ledru
sun-java6 is in the partner repository since Lucid, so only a few individuals can actually upload it.

Brian Thomason (brian-thomason) wrote :

Thanks Sylvestre, I'll see about getting you upload rights for sun-java6 in Partner; I'm just not sure we have such fine grained control there or not. In the meantime, I will grab your package and test it on Lucid+ tomorrow and push it to Jamie S. for review. The work is much appreciated!

Steve Beattie (sbeattie) on 2011-02-18
Changed in openjdk-6 (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Steve Beattie (sbeattie)
Changed in sun-java6 (Ubuntu Hardy):
status: New → Fix Committed
importance: Undecided → Medium
assignee: nobody → Brian Thomason (brian-thomason)
Changed in sun-java6 (Ubuntu Karmic):
status: New → Fix Committed
importance: Undecided → Medium
assignee: nobody → Brian Thomason (brian-thomason)
Changed in sun-java6 (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Brian Thomason (brian-thomason)
Changed in sun-java6 (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Brian Thomason (brian-thomason)
Changed in openjdk-6 (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Steve Beattie (sbeattie)
Changed in openjdk-6 (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Steve Beattie (sbeattie)
Changed in openjdk-6 (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Steve Beattie (sbeattie)
Changed in openjdk-6 (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Steve Beattie (sbeattie)
Jamie Strandboge (jdstrand) wrote :

Brian, the hardy and karmic packages need to be backported to a non-source format v3 package as this was only first supported in Lucid: https://bugs.launchpad.net/launchpad/+bug/293106/comments/9

Changed in sun-java6 (Ubuntu Hardy):
status: Fix Committed → In Progress
Changed in sun-java6 (Ubuntu Karmic):
status: Fix Committed → In Progress
Jamie Strandboge (jdstrand) wrote :

Lucid and Maverick now have packages in partner.

Changed in sun-java6 (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in sun-java6 (Ubuntu Maverick):
status: In Progress → Fix Released
Changed in sun-java6 (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in sun-java6 (Ubuntu Karmic):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Hardy and Karmic updates are building in the security PPA.

Jamie Strandboge (jdstrand) wrote :

Brian, will you be providing an update for natty in partner?

Partner for Natty is empty now, (we don't do migrations there until Beta 1)
but yes, I'll make sure the newer version is copied over at that time.

On Wed, Feb 23, 2011 at 1:35 PM, Jamie Strandboge <email address hidden> wrote:

> Brian, will you be providing an update for natty in partner?
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/716689
>
> Title:
> Security Alert For CVE-2010-4476 Released
>

Changed in sun-java6 (Ubuntu Natty):
importance: Undecided → Medium
milestone: none → ubuntu-11.04-beta-1
status: Confirmed → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sun-java6 - 6.24-1build0.9.10.1

---------------
sun-java6 (6.24-1build0.9.10.1) karmic-security; urgency=low

  * Fake sync from Debian (LP: #716689)
  * Removed debian/source dir reverting back to 1.0 packaging format as
    3.0 (quilt) isn't available prior to Lucid
 -- Brian Thomason <email address hidden> Mon, 21 Feb 2011 15:42:33 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sun-java6 - 6.24-1build0.8.04.1

---------------
sun-java6 (6.24-1build0.8.04.1) hardy-security; urgency=low

  * Fake sync from Debian (LP: #716689)
  * Removed debian/source dir reverting back to 1.0 packaging format as
    3.0 (quilt) isn't available prior to Lucid
 -- Brian Thomason <email address hidden> Mon, 21 Feb 2011 15:42:33 -0500

Changed in sun-java6 (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in sun-java6 (Ubuntu Karmic):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

For openjdk-6, USN 1079-1 was published: http://www.ubuntu.com/usn/usn-1079-1

Changed in openjdk-6 (Ubuntu Karmic):
status: In Progress → Fix Released
Changed in openjdk-6 (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in openjdk-6 (Ubuntu Maverick):
status: In Progress → Fix Released
Steve Beattie (sbeattie) on 2011-03-01
Changed in openjdk-6 (Ubuntu Hardy):
assignee: Steve Beattie (sbeattie) → nobody
Changed in openjdk-6 (Ubuntu Natty):
assignee: Steve Beattie (sbeattie) → nobody
Steve Beattie (sbeattie) on 2011-03-11
Changed in openjdk-6 (Ubuntu Hardy):
status: In Progress → Triaged
Changed in openjdk-6 (Ubuntu Natty):
status: In Progress → Fix Released
Changed in sun-java6 (Ubuntu Natty):
milestone: ubuntu-11.04-beta-1 → ubuntu-11.04-beta-2
Dustin Kirkland  (kirkland) wrote :

According to the changelog of the version of sun-java6 in Natty:
 * https://launchpad.net/ubuntu/+source/sun-java6/6.24-1build0.10.10.1

This bug should be fix-released for Natty. Updating accordingly.

Changed in sun-java6 (Ubuntu Natty):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in openjdk-6 (Ubuntu Hardy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers