Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 433094 (CVE-2012-0547)

Summary: <app-emulation/emul-linux-x86-java-1.6.0.35; <dev-java/sun-{jdk,jre-bin}-1.6.0.35; <dev-java/oracle-{jdk,jre}-bin-1.7.0.7: fails to restrict access to privileged code, allows to execute arbitrary programs (CVE-2012-{0547,1682,3136,4681})
Product: Gentoo Security Reporter: Sławomir Nizio <slawomir.nizio>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: cnyegle, farmboy0, gentoo.2019, java, wyvern5
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.kb.cert.org/vuls/id/636312
See Also: https://bugs.gentoo.org/show_bug.cgi?id=433389
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Sławomir Nizio 2012-08-28 20:09:19 UTC
quoting $url:
Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions.
(...)
This vulnerability is being actively exploited in the wild, and exploit code is publicly available.

see also:
[1] http://secunia.com/advisories/cve_reference/CVE-2012-4681/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=852051
[3] http://secunia.com/advisories/50133

Icedtea may be affected too.

Thanks to Ryuno-Ki for telling about it on IRC.

Reproducible: Always
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-08-31 11:21:43 UTC
Bumped, please stabilize
amd64/x86:
dev-java/sun-jdk-1.6.0.35
dev-java/sun-jre-bin-1.6.0.35

amd64 also:
app-emulation/emul-linux-x86-java-1.6.0.35

x86 also:
dev-java/oracle-jdk-bin-1.7.0.7
dev-java/oracle-jre-bin-1.7.0.7
Comment 3 Klaus Kusche 2012-08-31 11:23:27 UTC
Same problem in IcedTea.

Updated Icedtea 2.3.1 available upstream with the same fixes.

Please provide ebuilds!
Comment 4 Sean Amoss gentoo-dev Security 2012-08-31 11:33:16 UTC
(In reply to comment #3)
> Same problem in IcedTea.
> 
> Updated Icedtea 2.3.1 available upstream with the same fixes.
> 
> Please provide ebuilds!

This is not the place to discuss IcedTea. Please see the bug in the "See Also" section.
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-08-31 14:35:33 UTC
*** Bug 431692 has been marked as a duplicate of this bug. ***
Comment 6 Agostino Sarubbo gentoo-dev 2012-09-02 18:04:14 UTC
amd64 stable
Comment 7 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-09-02 19:17:37 UTC
*** Bug 433465 has been marked as a duplicate of this bug. ***
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-09-04 23:41:14 UTC
CVE-2012-4681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681):
  Multiple vulnerabilities in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute
  arbitrary code via a crafted applet that bypasses SecurityManager
  restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and
  leveraging an exception with the forName method to access restricted classes
  from arbitrary packages such as sun.awt.SunToolkit, then (2) using
  "reflection with a trusted immediate caller" to leverage the getField method
  to access and modify private fields, as exploited in the wild in August 2012
  using Gondzz.class and Gondvv.class.

CVE-2012-3136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Beans, a different vulnerability than CVE-2012-1682.

CVE-2012-1682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Beans, a different vulnerability than CVE-2012-3136.

CVE-2012-0547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no
  impact and remote attack vectors involving AWT and "a security-in-depth
  issue that is not directly exploitable but which can be used to aggravate
  security vulnerabilities that can be directly exploited." NOTE: this
  identifier was assigned by the Oracle CNA, but CVE is not intended to cover
  defense-in-depth issues that are only exposed by the presence of other
  vulnerabilities.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-13 07:17:53 UTC
x86 stable
Comment 10 Sean Amoss gentoo-dev Security 2012-09-13 15:42:00 UTC
Thanks, everyone.

GLSA draft ready for review.
Comment 11 farmboy0 2012-09-20 11:31:45 UTC
please mark the amd64 ebuild as stable as per comment from Agostino Sarubbo on 9/2/2012.

Keywords still contains ~amd64 after syncing today.

Thank you
Comment 12 Sean Amoss gentoo-dev Security 2012-09-20 12:35:00 UTC
(In reply to comment #11)
> please mark the amd64 ebuild as stable as per comment from Agostino Sarubbo
> on 9/2/2012.
> 
> Keywords still contains ~amd64 after syncing today.
> 
> Thank you

All amd64 ebuilds are appropriately marked. Please file a new bug if you are having syncing issues as we don't deal with those in security bugs.
Comment 13 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-20 14:01:28 UTC
*** Bug 435644 has been marked as a duplicate of this bug. ***
Comment 14 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-20 14:01:51 UTC
> All amd64 ebuilds are appropriately marked. Please file a new bug if you are
> having syncing issues as we don't deal with those in security bugs.

No, they aren't. 

56 	KEYWORDS="~amd64 x86 ~amd64-linux ~x86-linux ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.7.ebuild?revision=1.4&view=markup
Comment 15 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-20 14:03:25 UTC
Sorry, it was never suppose to be marked stable. I am wrong, sorry for the noise.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 01:27:44 UTC
This issue was resolved and addressed in
 GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml
by GLSA coordinator Sean Amoss (ackle).