Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 429522 (CVE-2012-3422) - <dev-java/icedtea-web-1.2.1, <dev-java/icedtea-bin-6.1.11.3-r1: multiple vulnerabilities (CVE-2012-{3422,3423})
Summary: <dev-java/icedtea-web-1.2.1, <dev-java/icedtea-bin-6.1.11.3-r1: multiple vuln...
Status: RESOLVED FIXED
Alias: CVE-2012-3422
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://mail.openjdk.java.net/pipermai...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-02 15:24 UTC by Sean Amoss (RETIRED)
Modified: 2015-05-10 21:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2012-08-02 15:24:59 UTC
From the upstream notification at $URL:

IcedTea-Web 1.1.6 and 1.2.1 have now been released. In addition to bug fixes,
they include 2 security fixes and it is therefore recommended that everyone
upgrade to this release. The security issues fixed are:

RH840592, CVE-2012-3422: Use of uninitialized instance pointers
RH841345, CVE-2012-3423: Incorrect handling of non 0-terminated strings
Comment 1 Ralph Sennhauser (RETIRED) gentoo-dev 2012-08-02 18:04:27 UTC
Added the following to tree:

=dev-java/icedtea-web-1.2.1
=dev-java/icedtea-web-1.2.1-r7

Thanks for the report.

PS: New icedtea-bin packages still need to be added.
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-08-03 00:44:24 UTC
(In reply to comment #1)
> Added the following to tree:
> 
> =dev-java/icedtea-web-1.2.1
> =dev-java/icedtea-web-1.2.1-r7
> 
> Thanks for the report.
> 
> PS: New icedtea-bin packages still need to be added.

I've prepared everything for icedtea-bin and during tests I found icedtea-web-1.2.1 (and -r7) crashes my firefox immediately on the test applet http://www.java.com/en/download/testjava.jsp. Did it work for you sera?
Comment 3 Ralph Sennhauser (RETIRED) gentoo-dev 2012-08-03 04:43:54 UTC
Yes, works fine for me with Firefox 10.0.5 and icedtea-6.1.11.3 resp. icedtea-7.2.2.1.
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-08-03 12:46:30 UTC
Crashes on two boxes so far with firefox 14.0.1 and archlinux people reported this upstream already http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1106
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-08-03 21:11:58 UTC
So, I fixed icedtea-web with a patch whose idea upstream confirmed. Due to the security bug I've created icedtea-bin based on that.

Please stabilize dev-java/icedtea-bin-6.1.11.3-r1 including test of the nsplugin.
Comment 6 Agostino Sarubbo gentoo-dev 2012-08-06 17:52:41 UTC
amd64 stable
Comment 7 Andreas Schürch gentoo-dev 2012-08-08 11:04:18 UTC
(In reply to comment #5)
> Please stabilize dev-java/icedtea-bin-6.1.11.3-r1 including test of the
> nsplugin.

x86 done
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-08-08 11:30:52 UTC
CVE-2012-3423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3423):
  The IcedTea-Web plugin before 1.2.1 does not properly handle NPVariant
  NPStrings without NUL terminators, which allows remote attackers to cause a
  denial of service (crash), obtain sensitive information from memory, or
  execute arbitrary code via a crafted Java applet.

CVE-2012-3422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3422):
  The getFirstInTableInstance function in the IcedTea-Web plugin before 1.2.1
  returns an uninitialized pointer when the instance_to_id_map hash is empty,
  which allows remote attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted web page, which causes an
  uninitialized memory location to be read.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-09 13:31:29 UTC
Thanks, everyone. 

Added to existing GLSA request.
Comment 10 R Stephan 2012-08-11 09:32:07 UTC
While the Sun test applet starts after a delay with 1.2.1-r8 and FF 14.0.1 (AMD) the applet on this page fails to start, also using bin-6 or bin-7.

http://toolserver.org/~ayacop/EditorApplet.html

(it's the newest JChemPaint applet). Start: Applet not initialized
Caused by: 
net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Unknown Main-Class. Could not determine the main class for this application.
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:511)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.<init>(JNLPClassLoader.java:204)

The applet loads fine with sun-jre-bin, however.
Comment 11 Ralph Sennhauser (RETIRED) gentoo-dev 2012-09-25 14:09:26 UTC
(In reply to comment #10)
> While the Sun test applet starts after a delay with 1.2.1-r8 and FF 14.0.1
> (AMD) the applet on this page fails to start, also using bin-6 or bin-7.
> 
> http://toolserver.org/~ayacop/EditorApplet.html
> 

Works for me with icedtea-web 1.3, so removed vulnerable versions from tree.
Comment 12 James Le Cuirot gentoo-dev 2015-05-10 21:59:55 UTC
I'm just going to close this since no one cares. These versions have long gone.