Thursday, March 7, 2013

[USN-1755-2] OpenJDK 7 vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRONfpAAoJEFHb3FjMVZVz3iIP/RGTn9m4RFmhCRydvuq7jz1l
XM5z59Xj0PC4xP4d8GL2S22DXSbw6SCtS116xP89exb8HnsvsARcEVjqMwA65Cn/
rwCNv9O/5MGO7Gv3NRzfmwd26zi1F4QotPmVFa076rk4huZAmAMuh0M9r8psEm7y
zfrE2dWN0Zr33PADbzkrLaKLNIIWRCPJuwAy3yJ0PIiZX/nKgRT1g1pz4vxi5PZO
e1GWm51ykFDba5ty1d8mAiv46SlhxhiwpcksliwO/b5ljoF2QxPLQrKPzICIFiBH
wYjodCpEWUb+cG9cOoinNjTTaOcTXqG+8Krx/wkUhiWoxCHdjMTegqiz4y/pSTjZ
FoumF8K+IeIRGe3MBtQy8kB1GDMGF81dCPnhSxP/EaIZTH3iQhYb6Q4eKnf1QhKB
IkYTel1F4F+942Xpt1F/IQt8Uv2v+fn7H4wz+iiMTUxfnZt6jXUCPN82MUsnLVqC
Pib01kGEOGLpp1upetsOm1vFUZiybk85fuiE+KNQzrVZP7d9kYJpsdhQbIR23NJd
x4G7JbuqMWMBDM/2EFeNnBJJQ4fCBlVi425IsSAr+dtrYURugauOrgKuHk5hwBor
RXZNAJ+60ILNmELzFD1/nsK6Yt9MbrLxJhEt6ZvA04HpmltIm6oenVHo1Q8j2faK
noHoAfvk5LQPjMQrN5eT
=OuYS
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1755-2
March 07, 2013

openjdk-7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

OpenJDK could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- openjdk-7: Open Source Java implementation

Details:

USN-1755-1 fixed vulnerabilities in OpenJDK 6. This update provides the
corresponding updates for OpenJDK 7.

Original advisory details:

It was discovered that OpenJDK did not properly validate certain types
of images. A remote attacker could exploit this to cause OpenJDK to crash.
(CVE-2013-0809)

It was discovered that OpenJDK did not properly check return values when
performing color conversion for images. If a user were tricked into
opening a crafted image with OpenJDK, such as with the Java plugin, a
remote attacker could cause OpenJDK to crash or execute arbitrary code
outside of the Java sandbox with the privileges of the user invoking the
program. (CVE-2013-1493)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
icedtea-7-jre-cacao 7u15-2.3.7-0ubuntu1~12.10.1
icedtea-7-jre-jamvm 7u15-2.3.7-0ubuntu1~12.10.1
openjdk-7-jre 7u15-2.3.7-0ubuntu1~12.10.1
openjdk-7-jre-headless 7u15-2.3.7-0ubuntu1~12.10.1
openjdk-7-jre-lib 7u15-2.3.7-0ubuntu1~12.10.1
openjdk-7-jre-zero 7u15-2.3.7-0ubuntu1~12.10.1

After a standard system update you need to restart any applications using
OpenJDK, such as your browser, to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1755-2
http://www.ubuntu.com/usn/usn-1755-1
CVE-2013-0809, CVE-2013-1493

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u15-2.3.7-0ubuntu1~12.10.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)