CVE-2008-4910 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4910): The BasicService in Sun Java Web Start allows remote attackers to execute arbitrary programs on a client machine via a file:// URL argument to the showDocument method.
POC: http://downloads.securityfocus.com/vulnerabilities/exploits/31916.java Java, I know that we have java Webstart in sun-jdk and sun-jre, can someone help us and test the POC, I've really no idea how to do it, and it would not be time efficent to research this right now.
java: ping!
(In reply to comment #2) > java: ping! > Well testing that requires to learn how to write java web start stuff and create the necessary stuff so it's not something that is done in a couple of minutes and probably not something that would inspire people that much. I just tried if I could do it quickly but seems like it requires more work.
Any way I suggest we don't look into as we are stabling new versions any way.
I just wanted feedback, according to our vulnerability policy our timeline for A2 is 5 days and the bug was opened 8 days ago. If we stable newer versions anyways, we don't have a problem here. Thanks!
(In reply to comment #5) > I just wanted feedback, according to our vulnerability policy our timeline for > A2 is 5 days and the bug was opened 8 days ago. > If we stable newer versions anyways, we don't have a problem here. > Thanks! > The new stable version went stable some days ago.
(In reply to comment #6) > > The new stable version went stable some days ago. > One thing to note is that 1.6.0.10 should have the same security baseline as 07.
There doesn't seem to be an upstream statement to this issue, as there is for most of the web start issues. I think we ignore those issues that are not picked up by regular ustream releases...
(In reply to comment #8) > There doesn't seem to be an upstream statement to this issue, as there is for > most of the web start issues. I think we ignore those issues that are not > picked up by regular ustream releases... > There's bug 250012 now so might consider adding this to that one.
I guess this is issue (11) in the list mentioned on bug 250012, so i'd call it a dupe. I'm not totally sure about them being exactly the same, though.
(In reply to comment #10) > I guess this is issue (11) in the list mentioned on bug 250012, so i'd call it > a dupe. I'm not totally sure about them being exactly the same, though. Yeah both say it's opening local files in browser via file:// URL's. Whether the browser has associated application to open the file doesn't matter. Duping. *** This bug has been marked as a duplicate of bug 250012 ***