From ${URL} : An off-by-one heap-based buffer overflow was found in IcedTeaScriptableJavaObject::invoke function. This problem was discovered in Oct 2012 and was assigned CVE-2012-4540. For more detailed description, refer to bug 869040 comment 5. The patch for this issue was applied to 1.1, 1.2, and 1.3 IcedTea-Web branches, see bug 869040 comment 10. However, the fix did not get applied to head. Version 1.4 released in May 2013 did not include the fix and is affected by the issue. http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-May/023195.html A new CVE id CVE-2013-4349 was assigned for the missing fix in 1.4. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Yay for us slacking, we still don't have 1.4 \o/ So when we finally do, it's gotta be 1.4.1 and that's all. Meanwhile we have 1.3.1 and 1.3.2 which should be fixed. So I don't know what to do with this bug, lol.
If it doesn't apply to us, RESOLVED INVALID. If/when you do add 1.4, please make sure to get the fixed version :)
