Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 451206 (CVE-2013-0422) - <dev-java/oracle-{jdk,jre}-bin-1.7.0.11: Unspecified remote code execution vulnerability (CVE-2012-3174,CVE-2013-0422)
Summary: <dev-java/oracle-{jdk,jre}-bin-1.7.0.11: Unspecified remote code execution vu...
Status: RESOLVED FIXED
Alias: CVE-2013-0422
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/625617
Whiteboard: B2 [glsa]
Keywords:
: 451980 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-01-10 16:14 UTC by Sean Amoss
Modified: 2014-01-27 01:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss gentoo-dev Security 2013-01-10 16:14:20 UTC
CERT Vulnerability Note VU#625617. 

Limited information at $URL. Issue appears to affect Java 7 u10 and prior.
Comment 1 Ralph Sennhauser (RETIRED) gentoo-dev 2013-01-14 07:19:14 UTC
The following are now in tree and need to be stabilized on x86. Thanks.

=dev-java/oracle-jdk-bin-1.7.0.11
=dev-java/oracle-jre-bin-1.7.0.11
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2013-01-14 10:24:49 UTC
*** Bug 451980 has been marked as a duplicate of this bug. ***
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-01-14 11:59:20 UTC
CVE-2013-0422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422):
  The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7
  Update 10 and earlier allows remote attackers to execute arbitrary code via
  vectors related to unspecified classes that allow access to the class
  loader, as exploited in the wild in January 2013, as demonstrated by
  Blackhole and Nuclear Pack, and a different vulnerability than
  CVE-2012-4681.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-01-16 00:18:56 UTC
CVE-2012-3174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174):
  Oracle Java 7 before Update 11 allows remote attackers to execute arbitrary
  code via unspecified vectors, a different vulnerability than CVE-2013-0422. 
  NOTE: as of 20130114, the scope of this CVE is not clear due to the lack of
  technical details from Oracle, the CNA.  It is currently unknown whether
  this CVE is related to (1) the findClass method in the MBeanInstantiator
  class, (2) recursive use of the reflection API, (3) an unrelated
  vulnerability, or (4) a combination of two or more of these vulnerabilities.
Comment 5 Myckel Habets archtester 2013-01-19 08:59:12 UTC
I get:

 * Please download jdk-7u6-apidocs.zip from 
 * http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-download-435117.html

Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?
Comment 6 Myckel Habets archtester 2013-01-19 09:23:46 UTC
(In reply to comment #5)
> I get:
> 
>  * Please download jdk-7u6-apidocs.zip from 
>  *
> http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-
> download-435117.html
> 
> Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?

Seems to be caused by the package dev-java/java-sdk-docs-1.7.0.6
Comment 7 Ralph Sennhauser (RETIRED) gentoo-dev 2013-01-19 12:21:16 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > I get:
> > 
> >  * Please download jdk-7u6-apidocs.zip from 
> >  *
> > http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-
> > download-435117.html
> > 
> > Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?
> 
> Seems to be caused by the package dev-java/java-sdk-docs-1.7.0.6

Bumped to 1.7.0.11, please add =dev-java/java-sdk-docs-1.7.0.11 to the stabilization list.
Comment 8 Myckel Habets archtester 2013-01-21 06:36:57 UTC
Builds fine on x86. Please mark stable for x86.
Comment 9 Agostino Sarubbo gentoo-dev 2013-02-14 13:15:00 UTC
x86 done in bug 455174
Comment 10 Sean Amoss gentoo-dev Security 2013-03-17 15:22:47 UTC
Already on existing GLSA draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 01:27:51 UTC
This issue was resolved and addressed in
 GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml
by GLSA coordinator Sean Amoss (ackle).