8020 – icedtea-web new security issue CVE-2012-4540

Bug 8020 - icedtea-web new security issue CVE-2012-4540

Summary: icedtea-web new security issue CVE-2012-4540

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/523621/
Whiteboard:	MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-11-08 19:00 CET by David Walser
Modified:	2012-11-09 00:38 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	icedtea-web-1.3-1.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-11-08 19:00:13 CET

RedHat has issued an advisory on November 7:
https://rhn.redhat.com/errata/RHSA-2012-1434.html

Updated packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated icedtea-web packages fix security vulnerability:

A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a
malicious web page could cause a web browser using the IcedTea-Web plug-in
to crash or, possibly, execute arbitrary code (CVE-2012-4540).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4540
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
https://rhn.redhat.com/errata/RHSA-2012-1434.html
========================

Updated packages in core/updates_testing:
========================
icedtea-web-1.1.7-1.mga1
icedtea-web-javadoc-1.1.7-1.mga1
icedtea-web-1.3.1-1.mga2
icedtea-web-javadoc-1.3.1-1.mga2

from SRPMS:
icedtea-web-1.1.7-1.mga1.src.rpm
icedtea-web-1.3.1-1.mga2.src.rpm

David Walser 2012-11-08 19:00:19 CET

Whiteboard: (none) => MGA1TOO

Comment 1 Dave Hodgins 2012-11-08 23:01:52 CET

No poc, so just testing that a java web applet works.  I'm using the
speed test under "Tools and Tips" at http://www.ody.ca/

Testing complete Mageia 1 and 2, i586 and x86-64.

Could someone from the sysadmin team push the srpm
icedtea-web-1.3.1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
icedtea-web-1.1.7-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated icedtea-web packages fix security vulnerability:

A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a
malicious web page could cause a web browser using the IcedTea-Web plug-in
to crash or, possibly, execute arbitrary code (CVE-2012-4540).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4540
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
https://rhn.redhat.com/errata/RHSA-2012-1434.html

https://bugs.mageia.org/show_bug.cgi?id=8020

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 2 Thomas Backlund 2012-11-09 00:38:05 CET

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0329

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.