From ${URL} : An insufficient array boundary check flaw was discovered in the ICU library Layout Engine component, used as part of the 2D component in OpenJDK. A specially-crafted font file could trigger an out of bounds read, which could lead to information disclosure or application crash. A malicious Java application or applet could use this flaw to bypass certain Java sandbox restrictions. External References: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixJAVA @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Here's what Debian says about this bug: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D. Here's what the ICU pages say about the Layout Engine: http://userguide.icu-project.org/layoutengine The ICU LayoutEngine has not had active development for some time, has many open bugs, and has now been deprecated. Users of ICU Layout are strongly encouraged to consider the HarfBuzz project as a replacement for the ICU Layout Engine. The source file in question, as far as I can identify it, has not been changed since 2013-04-18. This looks to me like a bug in OpenJDK (using a deprecated library).
(In reply to Andreas K. Hüttel from comment #1) > Here's what Debian says about this bug: > > Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 > allows remote attackers to affect confidentiality via unknown vectors > related to 2D. > > Here's what the ICU pages say about the Layout Engine: > > http://userguide.icu-project.org/layoutengine > The ICU LayoutEngine has not had active development for some time, has many > open bugs, and has now been deprecated. Users of ICU Layout are strongly > encouraged to consider the HarfBuzz project as a replacement for the ICU > Layout Engine. > > The source file in question, as far as I can identify it, has not been > changed since 2013-04-18. > > This looks to me like a bug in OpenJDK (using a deprecated library). After no reply from security for a month, changing topic and re-ccing to java team.
We still have one vulnerable version in the tree, 1.7.0.60, and this is only there to support ARM. Unfortunately Oracle didn't do another Java 7 release for ARM but there is 1.8.0.33. Given that I'm bumping other arches right now to 1.8.0.45 for security fixes, 1.8.0.33 probably has other vulnerabilities besides this one. Oracle seems to have a very half-arsed relationship with ARM so we should really be looking to icedtea instead.
Oracle seems to be treating ARM as a first class arch now so 1.7.0.60 has been removed. Security team, please close this out.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201603-11 at https://security.gentoo.org/glsa/201603-11 by GLSA coordinator Kristian Fiskerstrand (K_F).
