Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200709-15 ] BEA JRockit: Multiple vulnerabilities
Date: Sun, 23 Sep 2007 22:27:49
Message-Id: 20070923220337.GP29982@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200709-15
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: BEA JRockit: Multiple vulnerabilities
9 Date: September 23, 2007
10 Bugs: #190686
11 ID: 200709-15
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 BEA JRockit contains several vulnerabilities, some of which may allow
19 the execution of arbitrary code.
20
21 Background
22 ==========
23
24 BEA JRockit provides tools, utilities, and a complete runtime
25 environment for developing and running applications using the Java
26 programming language.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-java/jrockit-jdk-bin < 1.5.0.11_p1 >= 1.5.0.11_p1
35
36 Description
37 ===========
38
39 An integer overflow vulnerability exists in the embedded ICC profile
40 image parser (CVE-2007-2788), an unspecified vulnerability exists in
41 the font parsing implementation (CVE-2007-4381), and an error exists
42 when processing XSLT stylesheets contained in XSLT Transforms in XML
43 signatures (CVE-2007-3716), among other vulnerabilities.
44
45 Impact
46 ======
47
48 A remote attacker could trigger the integer overflow to execute
49 arbitrary code or crash the JVM through a specially crafted file. Also,
50 an attacker could perform unauthorized actions via an applet that
51 grants certain privileges to itself because of the font parsing
52 vulnerability. The error when processing XSLT stylesheets can be
53 exploited to execute arbitrary code. Other vulnerabilities could lead
54 to establishing restricted network connections to certain services,
55 Cross Site Scripting and Denial of Service attacks.
56
57 Workaround
58 ==========
59
60 There is no known workaround at this time for all these
61 vulnerabilities.
62
63 Resolution
64 ==========
65
66 All BEA JRockit users should upgrade to the latest version:
67
68 # emerge --sync
69 # emerge --ask --oneshot --verbose ">=dev-java/jrockit-jdk-bin-1.5.0.11_p1"
70
71 References
72 ==========
73
74 [ 1 ] CVE-2007-2788
75 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788
76 [ 2 ] CVE-2007-2789
77 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789
78 [ 3 ] CVE-2007-3004
79 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3004
80 [ 4 ] CVE-2007-3005
81 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3005
82 [ 5 ] CVE-2007-3503
83 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3503
84 [ 6 ] CVE-2007-3698
85 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3698
86 [ 7 ] CVE-2007-3716
87 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3716
88 [ 8 ] CVE-2007-3922
89 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3922
90 [ 9 ] CVE-2007-4381
91 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4381
92
93 Availability
94 ============
95
96 This GLSA and any updates to it are available for viewing at
97 the Gentoo Security Website:
98
99 http://security.gentoo.org/glsa/glsa-200709-15.xml
100
101 Concerns?
102 =========
103
104 Security is a primary focus of Gentoo Linux and ensuring the
105 confidentiality and security of our users machines is of utmost
106 importance to us. Any security concerns should be addressed to
107 security@g.o or alternatively, you may file a bug at
108 http://bugs.gentoo.org.
109
110 License
111 =======
112
113 Copyright 2007 Gentoo Foundation, Inc; referenced text
114 belongs to its owner(s).
115
116 The contents of this document are licensed under the
117 Creative Commons - Attribution / Share Alike license.
118
119 http://creativecommons.org/licenses/by-sa/2.5