Pardus: Sun-JDK Multiple Vulnerabilities
Posted by Bill Keys   
Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system.
------------------------------------------------------------------------
Pardus Linux Security Advisory 2008-83            security@pardus.org.tr
------------------------------------------------------------------------
     Date: 2008-12-23
 Severity: 5
     Type: Remote
------------------------------------------------------------------------

Summary
=======

Some vulnerabilities have been reported  in  Sun  Java,  which  can  be
exploited by malicious people to bypass certain security  restrictions,
disclose sensitive information, cause a DoS  (Denial  of  service),  or
compromise a vulnerable system.


Description
===========

1)  Java Runtime  Environment  (JRE)  creates  temporary  files   with
insufficiently random names. This can be exploited to  write  arbitrary
JAR files and perform restricted actions on the affected system.



2) An error exists in the Java AWT library when processing image models.
This can be exploited to cause  a  heap-based  buffer  overflow  via  a
specially crafted "Raster" image model used in a "ConvolveOp" operation.



3) An error in Java Web Start when processing certain GIF header values
can be exploited to cause a memory corruption via a  specially  crafted
splash logo.



4) An integer overflow error in the processing of TrueType fonts can be
exploited to cause a heap-based buffer overflow.



5) An error in the JRE can be exploited to establish network connections
to arbitrary hosts.



6) An error when launching Java Web Start applications can be exploited
by an untrusted application to e.g. read, write, or execute local files
with the privileges of the user running the application.



7) An error can be exploited by an untrusted Java Web Start application
to obtain the current username and the location of the Java  Web  Start
cache.



8) An error in Java  Web  Start  can  be  exploited  to  modify  system
properties (e.g. java.home, java.ext.dirs, and user.home) via specially
crafted JNLP files.



9) An error in Java Web Start and Java  Plug-in  can  be  exploited  to
hijack HTTP sessions.



10) An error in the JRE  applet  class  loading  functionality  can  be
exploited to read arbitrary files and establish network connections  to
arbitrary hosts.



11) An error in the Java Web Start BasicService can be exploited to open
arbitrary local files in the user's browser.



12) The problem is that the "Java Update" mechanism does not check  the
digital signature of the downloaded update package. This be exploited to
execute arbitrary code via  e.g.  a  MitM  (Man-in-the-Middle)  or  DNS
spoofing attack.



13) A boundary error exists when processing the  "Main-Class"  manifest
entry of a JAR file. This can be exploited to cause a stack-based buffer
overflow via a specially crafted JAR file.



14) An error when deserializing calendar objects can be exploited by an
untrusted Java applet to e.g. read, write, or execute local files.



15) An integer overflow error in  JRE  can  be  exploited  to  cause  a
heap-based buffer overflow via a specially crafted  Pack200  compressed
JAR file.



16) The UTF-8 decoder accepts encodings longer than the "shortest" form.
This can potentially be  exploited  to  trick  applications  using  the
decoder into accepting invalid sequences and  e.g.  disclose  sensitive
information via specially crafted URIs.



17) An error in the JRE can be exploited to list the  contents  of  the
user's home directory.



18) An error when processing RSA public keys can be exploited to consume
large amounts of CPU.



19) An error in  the  JRE  Kerberos  authentication  mechanism  can  be
exploited to potentially exhaust operating system resources.



20) Multiple errors in the JAX-WS and JAXB JRE packages can be exploited
by an untrusted Java applet to e.g. read, write, or execute local files.



21) An error when processing ZIP files can  be  exploited  to  disclose
arbitrary memory locations from the host process.



22) An error can be exploited by malicious code loaded from  the  local
filesystem to gain network access to the local host.



23) A boundary error  in  the  processing  of  TrueType  fonts  can  be
exploited to cause a heap-based buffer overflow.


Affected packages:

 Pardus 2008:
   sun-jdk, all before 1.6.0_p11-17-4
   sun-jdk-demo, all before 1.6.0_p11-17-1
   sun-jdk-doc, all before 1.6.0_p11-17-1
   sun-jdk-samples, all before 1.6.0_p11-17-1
   sun-jre, all before 1.6.0_p11-17-4


Resolution
==========

There   are update(s)   for   sun-jdk,   sun-jdk-demo,   sun-jdk-doc,
sun-jdk-samples, sun-jre. You can update them via  Package  Manager  or
with a single command from console:

   pisi up sun-jdk sun-jdk-demo sun-jdk-doc sun-jdk-samples sun-jre

References
==========

 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-244992-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1
 * http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1
 * http://secunia.com/Advisories/32991/

------------------------------------------------------------------------

--
Pardus Security Team
http://security.pardus.org.tr