Bug 483198 (CVE-2013-1926)

Summary:	<dev-java/icedtea-web-1.3.2 : Multiple vulnerabilities (CVE-2013-{1926,1927})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2013-08-31 21:48:25 UTC

CVE-2013-1927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1927):
  The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote
  attackers to execute arbitrary code via a crafted file that validates as
  both a GIF and a Java JAR file, aka "GIFAR."

CVE-2013-1926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1926):
  The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same
  class loader for applets with the same codebase path but from different
  domains, which allows remote attackers to obtain sensitive information or
  possibly alter other applets via a crafted applet.


Looks like all we need to do here is cleanup.

Comment 1 Agostino Sarubbo gentoo-dev

2013-08-31 21:56:30 UTC

1.2.3 is not anymore in the tree

Comment 2 Yury German Gentoo Infrastructure

2013-12-30 06:10:56 UTC

Ping!

Maintainer(s), please drop the vulnerable version.

Comment 3 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-12-30 17:23:56 UTC

Dropped 1.3.1*; since the summary change is odd, do we need to drop 1.3.2*?

+  30 Dec 2013; Tom Wijsman <TomWij@gentoo.org> -icedtea-web-1.3.1-r7.ebuild,
+  -icedtea-web-1.3.1.ebuild, metadata.xml:
+  Dropped vulnerable 1.3.1* (and unused local USE-descriptions gtk2 and gtk3)
+  for security bug #483198.

Comment 4 Agostino Sarubbo gentoo-dev

2013-12-30 19:42:38 UTC

(In reply to Tom Wijsman (TomWij) from comment #3)
> Dropped 1.3.1*; since the summary change is odd, do we need to drop 1.3.2*?
The change is not odd. This is fine as-is. Thanks for the cleanup.

Closing as noglsa.