The title is an adaption of Alberto Sordi’s movie «Venezia, la luna e tu», for who wonders.
So, those of you who are actually reading my blog daily (I know there are still a few out there ;) ) know that I’ve started looking at OpenJDK since day one, hoping to be able to actually get it to work on Gentoo/FreeBSD to replace the Diablo JRE/JDK that are not updated for a while now (1.5 version), and with most probability vulnerable to something.
Well, beside a few patches here and there to use external libraries, that you can find
here, and a minimal memory leak for a
tempnam() value never freed, today I had the time to look at the unmodified libpng copy that OpenJDK distributes.. and the security issue that was being fixed last November is not fixed there. CVE-2006-5793 is still valid for sun-jdk-1.6 series, as well as 1.7 and OpenJDK of course.
This is just one thing you can know by having the source code; the issue would have probably be ignored for a lot of time if it wasn’t for the release of the code, and now that we know it’s there, it has to be fixed somehow.
I’ve filed bugs at Gentoo and at Sun, so that the issue can be taken care of. In the mean time, my local builds of OpenJDK uses external copies of libpng (as well as zlib, jpeg – for the most part – and giflib), so I’m relatively safe. It’s not a nasty, pernicious bug, as the code is only used for splashscreens.
Now the question is: how much time will it take before nasty pernicious bugs are found in JDK’s proper code?
At least I’m happy to see that Sun people are open to actually apply the needed changes.