Bug 442478 (CVE-2012-4540)

Comment 1 GLSAMaker/CVETool Bot 2012-11-11 16:22:26 UTC

CVE-2012-4540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4540):
  Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc
  in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, and 1.3.x before
  1.3.1 allows remote attackers to obtain sensitive information, cause a
  denial of service (crash), or possibly execute arbitrary code via a crafted
  webpage that triggers a heap-based buffer overflow, related to an error
  message and a "triggering event attached to applet."

Comment 2 Vlastimil Babka (Caster) (RETIRED) 2012-11-14 22:56:45 UTC

icedtea-web bumped to 1.3.1

nsplugin part of icedtea-bin built and bumped
Please stabilize dev-java/icedtea-bin-6.1.11.3-r1
(test the nsplugin, the rest is unchanged from -r0)

Comment 3 Andreas Schürch 2012-11-15 15:33:36 UTC

There is no dev-java/icedtea-bin-6.1.11.3-r1 in portage as of now!?

Comment 4 Agostino Sarubbo 2012-11-16 18:13:56 UTC

amd64 stable

Comment 5 Vlastimil Babka (Caster) (RETIRED) 2012-11-18 18:18:36 UTC

(In reply to comment #3)
> There is no dev-java/icedtea-bin-6.1.11.3-r1 in portage as of now!?

Sorry, it was 6.1.11.5-r1

Comment 6 Agostino Sarubbo 2012-11-18 18:20:27 UTC

(In reply to comment #5)
> (In reply to comment #3)
> > There is no dev-java/icedtea-bin-6.1.11.3-r1 in portage as of now!?
> 
> Sorry, it was 6.1.11.5-r1

I know, I did it correctly:

 16 Nov 2012; Agostino Sarubbo <ago@gentoo.org>
  icedtea-bin-6.1.11.5-r1.ebuild:
  Stable for amd64, wrt bug #442478

Comment 7 Agostino Sarubbo 2012-12-03 20:49:01 UTC

x86 stable

Comment 8 Sean Amoss (RETIRED) 2012-12-04 22:55:52 UTC

Thanks, everyone.

Already on existing GLSA draft.

Comment 9 James Le Cuirot 2015-05-10 22:00:27 UTC

I'm just going to close this since no one cares. These versions have long gone.