The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ describes a (on first sight) trivial DoS when parsing strings into Java Double objects. However that code could likely occur in serialization routines, http header parsing and impair server availability. Runtime (java app hang): class runhang { public static void main(String[] args) { System.out.println("Test:"); double d = Double.parseDouble("2.2250738585072012e-308"); System.out.println("Value: " + d); } } DevTime (javac hang): class compilehang { public static void main(String[] args) { double d = 2.2250738585072012e-308; System.out.println("Value: " + d); } } https://bugzilla.redhat.com/show_bug.cgi?id=674336 The Oracle advisory makes it very unobvious what version contains the fix, if any.
(In reply to comment #0) > The Oracle advisory makes it very unobvious what version contains the fix, if > any. None. There's a fixer tool at http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater that could be probably used in the ebuild, but not sure if that would mean making the package fetch restricted again.
Build 24 now fixes this issue (and probably others as well). See http://www.oracle.com/technetwork/java/javase/downloads/index.html
New versions were released, along with full advisory and new CVE's, so I'm changing the whiteboard for re-evaluation.
Bumped, please stabilize version 1.6.0.24 of: x86: dev-java/sun-jdk, dev-java/sun-jre-bin amd64: $x86, app-emulation/emul-linux-x86-java
amd64 done
Both packages also tested on x86 over here. No problems found.
x86 stable, last one so update the whiteboard
Thanks, folks. GLSA Vote: no.
CVE-2010-4476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476): The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. CVE-2010-4475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment. CVE-2010-4474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474): Unspecified vulnerability in the Java DB component in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows local users to affect confidentiality via unknown vectors related to Security, a similar vulnerability to CVE-2009-4269. CVE-2010-4473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs. CVE-2010-4472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the "XML DSig Transform or C14N algorithm implementations." CVE-2010-4471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text. CVE-2010-4470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to "Features set on SchemaFactory not inherited by Validator." CVE-2010-4469 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and "backward jsrs." CVE-2010-4468 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity via unknown vectors related to JDBC. CVE-2010-4467 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 10 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2010-4466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, Solaris, and, Linux; 5.0 Update 27 and earlier for Windows; and 1.4.2_29 and earlier for Windows allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment. CVE-2010-4465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the lack of framework support by AWT event dispatch, and/or "clipboard access in Applets." CVE-2010-4463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 21 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2010-4462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs. CVE-2010-4454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs. CVE-2010-4452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452): Unspecified vulnerability in the Deployment component in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-4451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, when using Java Update, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install. CVE-2010-4450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable. CVE-2010-4448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves "DNS cache poisoning by untrusted applets." CVE-2010-4447 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment. CVE-2010-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422): Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201111-02 at http://security.gentoo.org/glsa/glsa-201111-02.xml by GLSA coordinator Alex Legler (a3li).
