Summary: | <dev-java/icedtea-bin-6.1.11.4: fails to restrict access to privileged code (CVE-2012-{0547,1682,3136,4681}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Andrew John Hughes <gnu_andrew> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | caster, java, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=433094 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Andrew John Hughes
2012-08-30 01:49:10 UTC
Ebuild for 2.3.1 is in java-overlay as of last night. Thanks for the report, Andrew. Is IcedTea also vulnerable to the 3 other issues from Oracle Java? http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA icedtea-7.2.3.1 is added in tree. However, there should soon be 7.2.3.2 to fix the remaining vulnerabilities. Then I'll build the icedtea-bin. dev-java/icedtea bumped to 6.1.11.4 / 7.2.3.2 dev-java/icedtea-bin built and bumped as well please stabilize dev-java/icedtea-bin-6.1.11.4 I forgot distfiles, sorry. Please hold on until I tell you (evening). (In reply to comment #5) > I forgot distfiles, sorry. Please hold on until I tell you (evening). Done, unmasked. Arches, please test and mark stable: =dev-java/icedtea-bin-6.1.11.4 Target keywords : "amd64 x86" CVE-2012-4681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681): Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. CVE-2012-3136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-1682. CVE-2012-1682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. CVE-2012-0547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. amd64 stable x86 done, last arch! Thanks, folks. Already in GLSA draft. I'm just going to close this since no one cares. This version has long gone. |