Get the LinuxSecurity news you want faster with RSS
Powered By
Pardus: Sun-JDK Multiple Vulnerabilities
Posted by Bill Keys
Some vulnerabilities have been reported in Sun Java, which can be
exploited by malicious people to bypass certain security restrictions,
disclose sensitive information, cause a DoS (Denial of service), or
compromise a vulnerable system.
------------------------------------------------------------------------
Pardus Linux Security Advisory 2008-83 security@pardus.org.tr
------------------------------------------------------------------------
Date: 2008-12-23
Severity: 5
Type: Remote
------------------------------------------------------------------------
Summary
=======
Some vulnerabilities have been reported in Sun Java, which can be
exploited by malicious people to bypass certain security restrictions,
disclose sensitive information, cause a DoS (Denial of service), or
compromise a vulnerable system.
Description
===========
1) Java Runtime Environment (JRE) creates temporary files with
insufficiently random names. This can be exploited to write arbitrary
JAR files and perform restricted actions on the affected system.
2) An error exists in the Java AWT library when processing image models.
This can be exploited to cause a heap-based buffer overflow via a
specially crafted "Raster" image model used in a "ConvolveOp" operation.
3) An error in Java Web Start when processing certain GIF header values
can be exploited to cause a memory corruption via a specially crafted
splash logo.
4) An integer overflow error in the processing of TrueType fonts can be
exploited to cause a heap-based buffer overflow.
5) An error in the JRE can be exploited to establish network connections
to arbitrary hosts.
6) An error when launching Java Web Start applications can be exploited
by an untrusted application to e.g. read, write, or execute local files
with the privileges of the user running the application.
7) An error can be exploited by an untrusted Java Web Start application
to obtain the current username and the location of the Java Web Start
cache.
8) An error in Java Web Start can be exploited to modify system
properties (e.g. java.home, java.ext.dirs, and user.home) via specially
crafted JNLP files.
9) An error in Java Web Start and Java Plug-in can be exploited to
hijack HTTP sessions.
10) An error in the JRE applet class loading functionality can be
exploited to read arbitrary files and establish network connections to
arbitrary hosts.
11) An error in the Java Web Start BasicService can be exploited to open
arbitrary local files in the user's browser.
12) The problem is that the "Java Update" mechanism does not check the
digital signature of the downloaded update package. This be exploited to
execute arbitrary code via e.g. a MitM (Man-in-the-Middle) or DNS
spoofing attack.
13) A boundary error exists when processing the "Main-Class" manifest
entry of a JAR file. This can be exploited to cause a stack-based buffer
overflow via a specially crafted JAR file.
14) An error when deserializing calendar objects can be exploited by an
untrusted Java applet to e.g. read, write, or execute local files.
15) An integer overflow error in JRE can be exploited to cause a
heap-based buffer overflow via a specially crafted Pack200 compressed
JAR file.
16) The UTF-8 decoder accepts encodings longer than the "shortest" form.
This can potentially be exploited to trick applications using the
decoder into accepting invalid sequences and e.g. disclose sensitive
information via specially crafted URIs.
17) An error in the JRE can be exploited to list the contents of the
user's home directory.
18) An error when processing RSA public keys can be exploited to consume
large amounts of CPU.
19) An error in the JRE Kerberos authentication mechanism can be
exploited to potentially exhaust operating system resources.
20) Multiple errors in the JAX-WS and JAXB JRE packages can be exploited
by an untrusted Java applet to e.g. read, write, or execute local files.
21) An error when processing ZIP files can be exploited to disclose
arbitrary memory locations from the host process.
22) An error can be exploited by malicious code loaded from the local
filesystem to gain network access to the local host.
23) A boundary error in the processing of TrueType fonts can be
exploited to cause a heap-based buffer overflow.
Affected packages:
Pardus 2008:
sun-jdk, all before 1.6.0_p11-17-4
sun-jdk-demo, all before 1.6.0_p11-17-1
sun-jdk-doc, all before 1.6.0_p11-17-1
sun-jdk-samples, all before 1.6.0_p11-17-1
sun-jre, all before 1.6.0_p11-17-4
Resolution
==========
There are update(s) for sun-jdk, sun-jdk-demo, sun-jdk-doc,
sun-jdk-samples, sun-jre. You can update them via Package Manager or
with a single command from console:
pisi up sun-jdk sun-jdk-demo sun-jdk-doc sun-jdk-samples sun-jre
References
==========
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-244992-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1
* http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1
* http://secunia.com/Advisories/32991/
------------------------------------------------------------------------
--
Pardus Security Team
http://security.pardus.org.tr
