Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442478 (CVE-2012-4540) - <dev-java/icedtea-web-1.3.1, <dev-java/icedtea-bin- buffer overflow (CVE-2012-4540)
Summary: <dev-java/icedtea-web-1.3.1, <dev-java/icedtea-bin- buffer overfl...
Alias: CVE-2012-4540
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2012-11-09 18:59 UTC by Agostino Sarubbo
Modified: 2015-05-10 22:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-09 18:59:07 UTC
From :

IcedTea-Web versions 1.1.7, 1.2.2 and 1.3.1 that were just released fix
a buffer overflow IcedTeaScriptableJavaObject::invoke.  The issue got
CVE-2012-4540 assigned.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-11 16:22:26 UTC
CVE-2012-4540 (
  Off-by-one error in the invoke function in
  in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, and 1.3.x before
  1.3.1 allows remote attackers to obtain sensitive information, cause a
  denial of service (crash), or possibly execute arbitrary code via a crafted
  webpage that triggers a heap-based buffer overflow, related to an error
  message and a "triggering event attached to applet."
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-11-14 22:56:45 UTC
icedtea-web bumped to 1.3.1

nsplugin part of icedtea-bin built and bumped
Please stabilize dev-java/icedtea-bin-
(test the nsplugin, the rest is unchanged from -r0)
Comment 3 Andreas Schürch gentoo-dev 2012-11-15 15:33:36 UTC
There is no dev-java/icedtea-bin- in portage as of now!?
Comment 4 Agostino Sarubbo gentoo-dev 2012-11-16 18:13:56 UTC
amd64 stable
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-11-18 18:18:36 UTC
(In reply to comment #3)
> There is no dev-java/icedtea-bin- in portage as of now!?

Sorry, it was
Comment 6 Agostino Sarubbo gentoo-dev 2012-11-18 18:20:27 UTC
(In reply to comment #5)
> (In reply to comment #3)
> > There is no dev-java/icedtea-bin- in portage as of now!?
> Sorry, it was

I know, I did it correctly:

 16 Nov 2012; Agostino Sarubbo <>
  Stable for amd64, wrt bug #442478
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-03 20:49:01 UTC
x86 stable
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-04 22:55:52 UTC
Thanks, everyone.

Already on existing GLSA draft.
Comment 9 James Le Cuirot gentoo-dev 2015-05-10 22:00:27 UTC
I'm just going to close this since no one cares. These versions have long gone.