Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 433389 (CVE-2012-4681)

Summary: <dev-java/icedtea-bin-6.1.11.4: fails to restrict access to privileged code (CVE-2012-{0547,1682,3136,4681})
Product: Gentoo Security Reporter: Andrew John Hughes <gnu_andrew>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: caster, java, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=433094
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Andrew John Hughes 2012-08-30 01:49:10 UTC
Fixes Java zero-day issue:

http://bitly.com/OKB0Xy

Reproducible: Always
Comment 1 Andrew John Hughes 2012-08-30 18:26:48 UTC
Ebuild for 2.3.1 is in java-overlay as of last night.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-30 20:43:24 UTC
Thanks for the report, Andrew.

Is IcedTea also vulnerable to the 3 other issues from Oracle Java?
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-08-31 14:31:02 UTC
icedtea-7.2.3.1 is added in tree. However, there should soon be 7.2.3.2 to fix the remaining vulnerabilities. Then I'll build the icedtea-bin.
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-09-02 19:15:38 UTC
dev-java/icedtea bumped to 6.1.11.4 / 7.2.3.2
dev-java/icedtea-bin built and bumped as well

please stabilize dev-java/icedtea-bin-6.1.11.4
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-09-03 08:39:00 UTC
I forgot distfiles, sorry. Please hold on until I tell you (evening).
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-09-03 18:00:01 UTC
(In reply to comment #5)
> I forgot distfiles, sorry. Please hold on until I tell you (evening).

Done, unmasked.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-09-03 19:16:11 UTC
Arches, please test and mark stable:
=dev-java/icedtea-bin-6.1.11.4
Target keywords : "amd64 x86"
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 00:58:26 UTC
CVE-2012-4681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681):
  Multiple vulnerabilities in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute
  arbitrary code via a crafted applet that bypasses SecurityManager
  restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and
  leveraging an exception with the forName method to access restricted classes
  from arbitrary packages such as sun.awt.SunToolkit, then (2) using
  "reflection with a trusted immediate caller" to leverage the getField method
  to access and modify private fields, as exploited in the wild in August 2012
  using Gondzz.class and Gondvv.class.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 01:15:35 UTC
CVE-2012-3136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Beans, a different vulnerability than CVE-2012-1682.

CVE-2012-1682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Beans, a different vulnerability than CVE-2012-3136.

CVE-2012-0547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no
  impact and remote attack vectors involving AWT and "a security-in-depth
  issue that is not directly exploitable but which can be used to aggravate
  security vulnerabilities that can be directly exploited." NOTE: this
  identifier was assigned by the Oracle CNA, but CVE is not intended to cover
  defense-in-depth issues that are only exposed by the presence of other
  vulnerabilities.
Comment 10 Agostino Sarubbo gentoo-dev 2012-09-07 15:45:16 UTC
amd64 stable
Comment 11 Andreas Schürch gentoo-dev 2012-09-12 13:08:57 UTC
x86 done, last arch!
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-09-13 02:41:08 UTC
Thanks, folks. Already in GLSA draft.
Comment 13 James Le Cuirot gentoo-dev 2015-05-10 21:57:59 UTC
I'm just going to close this since no one cares. This version has long gone.