Subject: Re: lang/sun-j* security updates
To: Geert Hendrickx <>
From: Todd Vierling <>
List: tech-pkg
Date: 11/30/2005 09:55:01
On Wed, 30 Nov 2005, Geert Hendrickx wrote:

> > > -sun-{jre,jdk}14-*	1122,local-file-write
> > > +sun-{jre,jdk}14<2.10	1122,local-file-write

> Ok, never post before (a third) coffee; the release of 1.4.2_10 and the
> announcement of this vulnerability are unrelated.  The vulnerability has
> been fixed in 1.4.2_9, and 1.4.2_10 is just another update.

Where is the announcement that this was actually fixed?  Are you *sure* it
is fixed -- have you tested?

JDK 1.5.0_05 did not fix it for the 1.5.0 line, so I am suspicious that
1.4.2 isn't fixed yet either.  I think you might want to check and be sure.
I've created a test script that you can use to verify:

Set JAVA_HOME to the pkgsrc subdir (/usr/pkg/java/sun-1.4, for example) so
that it doesn't pick up the pkgsrc wrappers, in case you have the wrapper
for "jar" pointed to "fastjar" or a different JDK than "java".

(Although, BTW, I just found that fastjar is ALSO vulnerable to this.  Eek.
Time to update pkg-vulnerabilities to match, and notify Secunia.)

-- Todd Vierling <> <> <>