Comment 1 Alex Legler (RETIRED) 2011-01-18 18:03:00 UTC

Quoting $URL:
It was discovered that the JNLPSecurityManager in certain cases failed to
properly implement the security policy, and did not throw an exception to
prevent completion of a possibly unsafe or sensitive operation and simply
returned from the checkPermission method. 

Any service relying on the SecurityManager.checkPermission() method to throw an
exception then incorrectly assumed that the permission was granted.

Comment 2 Vlastimil Babka (Caster) (RETIRED) 2011-01-21 00:23:02 UTC

(In reply to comment #0)
> Updated ebuilds in java-overlay.

In tree as well, for the source dev-java/icedtea package. Now building icedtea6-bin.

Comment 3 Stefan Behte (RETIRED) 2011-01-21 11:16:45 UTC

CVE-2010-4351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4351):
  The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7,
  1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from
  the checkPermission method instead of throwing an exception in
  certain circumstances, which might allow context-dependent attackers
  to bypass the intended security policy by creating instances of
  ClassLoader.

The version bump for dev-java/icedtea caused bug 352314

Comment 5 Vlastimil Babka (Caster) (RETIRED) 2011-01-21 23:35:36 UTC

Done, please stabilize dev-java/icedtea6-bin-1.9.4

Comment 6 Christian Faulhammer (RETIRED) 2011-01-22 09:13:27 UTC

x86 stable

Comment 7 Agostino Sarubbo 2011-01-22 13:26:47 UTC

amd64 ok

Comment 8 Markos Chandras (RETIRED) 2011-01-22 17:56:42 UTC

amd64 done. Thanks Agostino

Comment 9 Tim Sammut (RETIRED) 2011-01-22 21:32:27 UTC

Thanks, folks. Added to existing GLSA request.

Comment 10 GLSAMaker/CVETool Bot 2014-06-29 15:28:34 UTC

This issue was resolved and addressed in
 GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).