Re: [SECURITY] [DLA 1886-1] openjdk-7 security update

To: Thomas Elsner <te@mamps.de>
Cc: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 1886-1] openjdk-7 security update
From: Markus Koschany <apo@debian.org>
Date: Mon, 19 Aug 2019 15:26:22 +0200
Message-id: <[🔎] cb25cd16-d435-bbcb-02ad-1368bb3c97a4@debian.org>
In-reply-to: <[🔎] 6e4c2513-3e82-5f62-bf1e-d7f02fc8ac05@mamps.de>
References: <27952ce5-f5e3-6bb1-6da6-5951254024a5@debian.org> <[🔎] 6e4c2513-3e82-5f62-bf1e-d7f02fc8ac05@mamps.de>

Hello,

Am 19.08.19 um 11:23 schrieb Thomas Elsner:
> Hi,
> 
> Markus Koschany schrieb am 15.08.19 um 23:57:
>> Package        : openjdk-7
>> Version        : 7u231-2.6.19-1~deb8u1
>> CVE ID         : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816
> 
> I'm not able to install the openjdk-7-jdk package without an error
> message during execution of the post install triggers. The script
> /etc/ca-certificates/update.d/jks-keystore calls
>   java -Xmx64m -jar
> /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit
> . This shows the error:
> Exception in thread "main" java.lang.NoClassDefFoundError:
> sun/security/ec/ECParameters
> 	at
> sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1038)
> 	at sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:980)
> ....
> 
> I can reproduce the error using a docker container.
>  docker run -ti --rm debian:jessie /bin/bash
>   apt-get update && apt-get -y dist-upgrade && apt-get -y install
> openjdk-7-jdk default-jdk

Thanks for your report. I have looked into this and I believe I have
found the reason for the exception.

Apparently upstream removed the ECParameters class from rt.jar because
it is usually also present in sunec.jar. This is OpenJDK bug
JDK-7194075. [1] In Debian we have never built sunec.jar for OpenJDK 7.
This is Debian bug #750400 [1]. There must have been some sort of build
failure which could not be fixed because the relevant configuration
option is commented out in debian/rules. Since the classes were also in
rt.jar, we could apparently live with the situation...until now.

At first glance I believe the following classes from the ec directory
are missing:

src/share/classes/sun/security/ec/ECParameters.java
../../../../src/share/classes/sun/security/ec/ECPrivateKeyImpl.java
../../../../src/share/classes/sun/security/ec/ECPublicKeyImpl.java
../../../../src/share/classes/sun/security/ec/NamedCurve.java

I will readd them to rt.jar and test whether that fixes our problem at hand.

Regards,

Markus

[1] https://bugs.openjdk.java.net/browse/JDK-7194075
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750400

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Re: [SECURITY] [DLA 1886-1] openjdk-7 security update
  - From: Thomas Elsner <te@mamps.de>

Prev by Date: xymon vulnerabilities in jessie, stretch and buster
Next by Date: Re: xymon vulnerabilities in jessie, stretch and buster
Previous by thread: Re: [SECURITY] [DLA 1886-1] openjdk-7 security update
Next by thread: xymon vulnerabilities in jessie, stretch and buster
Index(es):
- Date
- Thread