8u212 missing fixes

Andrew John Hughes gnu.andrew at redhat.com
Thu Apr 25 16:44:20 UTC 2019 


On 25/04/2019 13:59, Gil Tene wrote:
> 
>> On Apr 25, 2019, at 5:22 AM, Eric Peterson <epeterson at interactivebrokers.com> wrote:
>> ...
>> The recent OpenJDK 8u212 release mentioned fixes for three CVEs:
>>
>>  *   S8211936, CVE-2019-2602: Better String parsing
>>  *   S8218453, CVE-2019-2684: More dynamic RMI interactions
>>  *   S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID()
>>
>> But the Oracle 8u212 release mentions two additional fixed CVEs:
>>
>>  *   CVE-2019-2699
>>  *   CVE-2019-2697
>>
>> Was OpenJDK 8u212 missing fixes for those vulnerabilities? Or perhaps they were just inadvertently left out of the release notes, or did not need to be applied?
> 
> To my knowledge:
> 
> CVE-2019-2699 was related to an artifact of choices made in the build environment, and as such existed in some 8u distros but not in others. So it is not a source-code-project thing (but individual distros have dealt with it and may want to mention it).
> 
> CVE-2019-2697 was specific to Oracle JDK 8 code that is not included in OpenJDK 8u, so it is not applicable to OpenJDK 8u.
> 
> — Gil
> 

Yeah, neither are applicable to OpenJDK.

CVE-2019-2699 is a Windows-only issue relating to an old version of
msvrcr100.dll (10.00.40219.1) being included with some OpenJDK-based
binaries for Windows. They are susceptible to [0]. This depends on the
build environment used to create the Windows binary, so there is no fix
in the OpenJDK code base and some binaries weren't affected (e.g. Red
Hat's Windows binaries)

CVE-2019-2697, as with some past CVEs, covers proprietary code that
Oracle add on top of OpenJDK, especially in older releases. In this
case, it's the t2k library and only on Oracle's 7 & 8 JDKs. [1]

[0]
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-025
[1] https://packetstormsecurity.com/files/cve/CVE-2019-2697

-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

More information about the jdk8u-dev mailing list