On Wed, 30 Nov 2005, Geert Hendrickx wrote:

> > > -sun-{jre,jdk}14-*	1122,local-file-write	http://secunia.com/advisories/14902/
> > > +sun-{jre,jdk}14<2.10	1122,local-file-write	http://secunia.com/advisories/14902/

> Ok, never post before (a third) coffee; the release of 1.4.2_10 and the
> announcement of this vulnerability are unrelated.  The vulnerability has
> been fixed in 1.4.2_9, and 1.4.2_10 is just another update.

Where is the announcement that this was actually fixed?  Are you *sure* it
is fixed -- have you tested?

JDK 1.5.0_05 did not fix it for the 1.5.0 line, so I am suspicious that
1.4.2 isn't fixed yet either.  I think you might want to check and be sure.
I've created a test script that you can use to verify:

    ftp://ftp.duh.org/pub/test14092.sh

Set JAVA_HOME to the pkgsrc subdir (/usr/pkg/java/sun-1.4, for example) so
that it doesn't pick up the pkgsrc wrappers, in case you have the wrapper
for "jar" pointed to "fastjar" or a different JDK than "java".

(Although, BTW, I just found that fastjar is ALSO vulnerable to this.  Eek.
Time to update pkg-vulnerabilities to match, and notify Secunia.)

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>