[gentoo-announce] [ GLSA 200702-08 ] AMD64 x86 emulation Sun's J2SE Development Kit: Multiple vulnerabilities - gentoo-announce

From:	Raphael Marichez <falco@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200702-08 ] AMD64 x86 emulation Sun's J2SE Development Kit: Multiple vulnerabilities
Date:	Sat, 17 Feb 2007 22:54:33
Message-Id:	`20070217221940.GL15700@falco.falcal.net`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200702-08

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: AMD64 x86 emulation Sun's J2SE Development Kit: Multiple

9

            vulnerabilities

10

      Date: February 17, 2007

11

      Bugs: #159547

12

        ID: 200702-08

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Multiple unspecified vulnerabilities have been identified in Sun Java

20

Development Kit (JDK) and Sun Java Runtime Environment (JRE).

21

22

Background

23

==========

24

25

The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment

26

(JRE) provide the Sun Java platform. The x86 emulation Sun's J2SE

27

Development Kit for AMD64 contains a vulnerable version of Sun's JDK.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package                            /  Vulnerable  /    Unaffected

34

    -------------------------------------------------------------------

35

  1  app-emulation/emul-linux-x86-java     < 1.5.0.10      >= 1.5.0.10

36

    -------------------------------------------------------------------

37

     # Package 1 only applies to AMD64 users.

38

39

Description

40

===========

41

42

Chris Evans has discovered multiple buffer overflows in Sun JDK and Sun

43

JRE possibly related to various AWT or font layout functions. Tom

44

Hawtin has discovered an unspecified vulnerability in Sun JDK and Sun

45

JRE relating to unintended applet data access. He has also discovered

46

multiple other unspecified vulnerabilities in Sun JDK and Sun JRE

47

allowing unintended Java applet or application resource acquisition.

48

Additionally, a memory corruption error has been found in the handling

49

of GIF images with zero width field blocks.

50

51

Impact

52

======

53

54

An attacker could entice a user to run a specially crafted Java applet

55

or application that could read, write, or execute local files with the

56

privileges of the user running the JVM, access data maintained in other

57

Java applets, or escalate the privileges of the currently running Java

58

applet or application allowing for unauthorized access to system

59

resources.

60

61

Workaround

62

==========

63

64

There is no known workaround at this time.

65

66

Resolution

67

==========

68

69

All AMD64 x86 emulation Sun's J2SE Development Kit users should upgrade

70

to the latest version:

71

72

    # emerge --sync

73

    # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.10"

74

75

References

76

==========

77

78

  [ 1 ] CVE-2006-6731

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6731

80

  [ 2 ] CVE-2006-6736

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6736

82

  [ 3 ] CVE-2006-6737

83

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6737

84

  [ 4 ] CVE-2006-6745

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6745

86

  [ 5 ] CVE-2007-0243

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0243

88

89

Availability

90

============

91

92

This GLSA and any updates to it are available for viewing at

93

the Gentoo Security Website:

94

95

  http://security.gentoo.org/glsa/glsa-200702-08.xml

96

97

Concerns?

98

=========

99

100

Security is a primary focus of Gentoo Linux and ensuring the

101

confidentiality and security of our users machines is of utmost

102

importance to us. Any security concerns should be addressed to

103

security@g.o or alternatively, you may file a bug at

104

http://bugs.gentoo.org.

105

106

License

107

=======

108

109

Copyright 2007 Gentoo Foundation, Inc; referenced text

110

belongs to its owner(s).

111

112

The contents of this document are licensed under the

113

Creative Commons - Attribution / Share Alike license.

114

115

http://creativecommons.org/licenses/by-sa/2.5

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200702-08
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: AMD64 x86 emulation Sun's J2SE Development Kit: Multiple
9	vulnerabilities
10	Date: February 17, 2007
11	Bugs: #159547
12	ID: 200702-08
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Multiple unspecified vulnerabilities have been identified in Sun Java
20	Development Kit (JDK) and Sun Java Runtime Environment (JRE).
21
22	Background
23	==========
24
25	The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment
26	(JRE) provide the Sun Java platform. The x86 emulation Sun's J2SE
27	Development Kit for AMD64 contains a vulnerable version of Sun's JDK.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 app-emulation/emul-linux-x86-java < 1.5.0.10 >= 1.5.0.10
36	-------------------------------------------------------------------
37	# Package 1 only applies to AMD64 users.
38
39	Description
40	===========
41
42	Chris Evans has discovered multiple buffer overflows in Sun JDK and Sun
43	JRE possibly related to various AWT or font layout functions. Tom
44	Hawtin has discovered an unspecified vulnerability in Sun JDK and Sun
45	JRE relating to unintended applet data access. He has also discovered
46	multiple other unspecified vulnerabilities in Sun JDK and Sun JRE
47	allowing unintended Java applet or application resource acquisition.
48	Additionally, a memory corruption error has been found in the handling
49	of GIF images with zero width field blocks.
50
51	Impact
52	======
53
54	An attacker could entice a user to run a specially crafted Java applet
55	or application that could read, write, or execute local files with the
56	privileges of the user running the JVM, access data maintained in other
57	Java applets, or escalate the privileges of the currently running Java
58	applet or application allowing for unauthorized access to system
59	resources.
60
61	Workaround
62	==========
63
64	There is no known workaround at this time.
65
66	Resolution
67	==========
68
69	All AMD64 x86 emulation Sun's J2SE Development Kit users should upgrade
70	to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.10"
74
75	References
76	==========
77
78	[ 1 ] CVE-2006-6731
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6731
80	[ 2 ] CVE-2006-6736
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6736
82	[ 3 ] CVE-2006-6737
83	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6737
84	[ 4 ] CVE-2006-6745
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6745
86	[ 5 ] CVE-2007-0243
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0243
88
89	Availability
90	============
91
92	This GLSA and any updates to it are available for viewing at
93	the Gentoo Security Website:
94
95	http://security.gentoo.org/glsa/glsa-200702-08.xml
96
97	Concerns?
98	=========
99
100	Security is a primary focus of Gentoo Linux and ensuring the
101	confidentiality and security of our users machines is of utmost
102	importance to us. Any security concerns should be addressed to
103	security@g.o or alternatively, you may file a bug at
104	http://bugs.gentoo.org.
105
106	License
107	=======
108
109	Copyright 2007 Gentoo Foundation, Inc; referenced text
110	belongs to its owner(s).
111
112	The contents of this document are licensed under the
113	Creative Commons - Attribution / Share Alike license.
114
115	http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce