Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 452432 (CVE-2012-3174) - <dev-java/icedtea{,-bin}-7.2.3.4: Multiple vulnerabilities (CVE-2012-3174,CVE-2013-0422)
Summary: <dev-java/icedtea{,-bin}-7.2.3.4: Multiple vulnerabilities (CVE-2012-3174,CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-3174
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://mail.openjdk.java.net/pipermai...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-16 06:48 UTC by Ralph Sennhauser (RETIRED)
Modified: 2013-01-24 19:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Sennhauser (RETIRED) gentoo-dev 2013-01-16 06:48:44 UTC
New security release, see URL.

Andrew John Hughes already bumped the ebuilds in java-overlay. Thanks.

Icedtea and icetea-bin bumps in main tree are pending.
Comment 1 Ralph Sennhauser (RETIRED) gentoo-dev 2013-01-16 21:22:52 UTC
Added =dev-java/icedtea-7.2.3.4 to main tree.
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2013-01-22 22:18:54 UTC
icedtea-bin bumped to 7.2.3.4. Slot not stable so we are done?
Comment 3 Sean Amoss gentoo-dev Security 2013-01-24 19:56:29 UTC
Thanks, everyone.

Maintainers, please don't forget to drop vulnerable versions.

Closing noglsa for ~arch only.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-01-24 19:56:40 UTC
CVE-2013-0422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422):
  Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote
  attackers to execute arbitrary code by (1) using the public
  getMBeanInstantiator method in the JmxMBeanServer class to obtain a
  reference to a private MBeanInstantiator object, then retrieving arbitrary
  Class references using the findClass method, and (2) using the Reflection
  API with recursion in a way that bypasses a security check by the
  java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the
  inability of the sun.reflect.Reflection.getCallerClass method to skip frames
  related to the new reflection API, as exploited in the wild in January 2013,
  as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability
  than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the
  recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a
  different vulnerability whose details are not public as of 20130114. 
  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it
  was originally reported that Java 6 was also vulnerable, but the reporter
  has retracted this claim, stating that Java 6 is not exploitable because the
  relevant code is called in a way that does not bypass security checks. 
  NOTE: as of 20130114, a reliable third party has claimed that the
  findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.
  If there is still a vulnerable condition, then a separate CVE identifier
  might be created for the unfixed issue.

CVE-2012-3174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174):
  Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors, a different vulnerability than CVE-2013-0422.  NOTE: some parties
  have mapped CVE-2012-3174 to an issue involving recursive use of the
  Reflection API, but that issue is already covered as part of CVE-2013-0422. 
  This identifier is for a different vulnerability whose details are not
  public as of 20130114.