Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 461714

Summary: <dev-java/icedtea{,-bin}-{6.1.12.4,7.2.3.8}: multiple vulnerabilities (CVE-2013-{0809,1493})
Product: Gentoo Security Reporter: Ralph Sennhauser (RETIRED) <sera>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Comment 1 Ralph Sennhauser (RETIRED) gentoo-dev 2013-03-14 11:12:17 UTC
The following are now in tree:

=dev-java/icedtea-6.1.12.4
=dev-java/icedtea-7.2.3.8

Bumps for older branches can be found in java-overlay. Thanks goes to Andrew John Hughes.
Comment 2 Agostino Sarubbo gentoo-dev 2013-03-17 14:48:08 UTC
(In reply to comment #1)
> The following are now in tree:
> 
> =dev-java/icedtea-6.1.12.4
> =dev-java/icedtea-7.2.3.8
> 
> Bumps for older branches can be found in java-overlay. Thanks goes to Andrew
> John Hughes.

Why there isn't in tree a fixed version for dev-java/icedtea-bin ?
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-03-19 10:30:21 UTC
CVE-2013-1493 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493):
  The color management (CMM) functionality in the 2D component in Oracle Java
  SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and
  earlier allows remote attackers to execute arbitrary code or cause a denial
  of service (crash) via an image with crafted raster parameters, which
  triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as
  exploited in the wild in February 2013.

CVE-2013-0809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809):
  Unspecified vulnerability in the 2D component in the Java Runtime
  Environment (JRE) component in Oracle Java SE 7 Update 15 and earlier, 6
  Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers
  to execute arbitrary code via unknown vectors, a different vulnerability
  than CVE-2013-1493.
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2013-03-24 13:27:00 UTC
(In reply to comment #2)
> Why there isn't in tree a fixed version for dev-java/icedtea-bin ?

Because I slack! But now there are.

Please stabilize =dev-java/icedtea-bin-6.1.12.4
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-25 21:15:21 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-25 21:15:50 UTC
amd64 stable
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-20 11:47:27 UTC
Added to existing GLSA draft.
Comment 8 James Le Cuirot gentoo-dev 2015-05-10 21:57:16 UTC
I'm just going to close this since no one cares. These versions have long gone.