[Bug 284436] New: VUL-0: JAVA image handling problems
https://bugzilla.novell.com/show_bug.cgi?id=284436 Summary: VUL-0: JAVA image handling problems Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Java AssignedTo: dbornkessel@novell.com ReportedBy: meissner@novell.com QAContact: qa@suse.de CC: security-team@suse.de is public This affects JDK 1.5 (and likely the respective ibm jdk). http://scary.beasts.org/security/CESA-2006-004.html |JDK image parsing library vulnerabilities (ICC parsing, BMP parsing) | |Programs affected: JDK 1.5.0_07-b03 and others. |Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06. |Reported date: October 2006. |Advisory release date: May 15th 2007. |Severity: Probable remote compromise of systems which use the vulnerable JDK APIs to parse images. Of course, most Java image parsing will be safe from the usual gamut of buffer overflows, integer overflows, subtle memory corruptions, etc. Most, but not all. The JPEG and BMP parsers support embedded ICC profiles (to do with colour correction), and the ICC profile parser is actually backed by native code. Flaw 1 - integer overflow(s) in the ICC profile parser Demo JPG: http://scary.beasts.org/misc/jdk/badicc.jpg . It causes a crash of the JVM. The crash is caused by a buffer overflow subsequent to an integer overflow, so it is likely exploitable to cause arbitrary code execution on many platforms. Generally, the ICC parser takes quite a few 32-bit integers from ICC profile data and does not check them for being excessively large. ( tracked in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788 ) Flaw 2 - local file opens in the BMP parser Demo BMP: http://scary.beasts.org/misc/jdk/evil2.bmp . This, on Linux, causes the image parsing thread to hang whilst trying to read from /dev/tty. Obviously, the broad problem here is that opening local files is not a suitable thing to do in the context of server-side image parsing. Comments The native code affected looks to be a library that is likely to be reused in other commercial projects. You might want to run the evil JPEG through other ICC parsing packages. The errant memcpy() triggered can be somewhat wild, but JDK installs a SEGV handler which crashes a second time (in a more controllable way), making the condition much more interesting. (tracked in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789 ) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=284436 ------- Comment #1 from meissner@novell.com 2007-06-14 12:43 MST ------- Created an attachment (id=146367) --> (https://bugzilla.novell.com/attachment.cgi?id=146367&action=view) ImgReader.java ImgReader.java (not sure how to build it, java ImgReader.java does have errors) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=284436 ------- Comment #2 from meissner@novell.com 2007-06-14 12:44 MST ------- Created an attachment (id=146368) --> (https://bugzilla.novell.com/attachment.cgi?id=146368&action=view) badicc.jpg badicc.jpg reproducer for flaw 1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=284436 ------- Comment #3 from meissner@novell.com 2007-06-14 12:45 MST ------- Created an attachment (id=146371) --> (https://bugzilla.novell.com/attachment.cgi?id=146371&action=view) evil2.bmp bitmap reproducer for flaw 2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=284436 ------- Comment #4 from meissner@novell.com 2007-06-14 12:53 MST ------- in the other bug you wrote we already fixed it, but only in STABLE/FACTORY. So this bug affects all old products containing JDK 1.5, which are currently at level 10. (I think these are: 10.0 10.1 10.2 only) Not sure about IBMJava2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=284436 ------- Comment #5 from meissner@novell.com 2007-06-14 13:06 MST ------- *** Bug 284443 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=284436 ------- Comment #6 from meissner@novell.com 2007-06-14 13:07 MST ------- duplicate cve id too: CVE-2007-3004 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=284436 ------- Comment #7 from meissner@novell.com 2007-06-15 11:58 MST ------- CVE-2007-3005 also a dup -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com