openjdk team mailing list archive

[Michael Gilbert <michael.s.gilbert@xxxxxxxxx>]

Package: openjdk-6
Version: 6b16-1.6.1-2
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published for openjdk-6.  I have not had the time to check any of this
since there are just way too many issues.  Please check whether openjdk
is vulnerable on not affected by these.  Thank you.

CVE-2009-2716[0]:
| The plugin functionality in Sun Java SE 6 before Update 15 does not
| properly implement version selection, which allows context-dependent
| attackers to leverage vulnerabilities in "old zip and certificate
| handling" and have unspecified other impact via unknown vectors.

CVE-2009-2717[1]:
| The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6
| before Update 15 on Windows 2000 Professional does not provide a
| Security Warning Icon, which makes it easier for context-dependent
| attackers to trick a user into interacting unsafely with an untrusted
| applet.

CVE-2009-2718[2]:
| The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6
| before Update 15 on X11 does not impose the intended constraint on
| distance from the window border to the Security Warning Icon, which
| makes it easier for context-dependent attackers to trick a user into
| interacting unsafely with an untrusted applet.

CVE-2009-2719[3]:
| The Java Web Start implementation in Sun Java SE 6 before Update 15
| allows context-dependent attackers to cause a denial of service
| (NullPointerException) via a crafted .jnlp file, as demonstrated by
| the jnlp_file/appletDesc/index.html#misc test in the Technology
| Compatibility Kit (TCK) for the Java Network Launching Protocol
| (JNLP).

CVE-2009-2720[4]:
| Unspecified vulnerability in the
| javax.swing.plaf.synth.SynthContext.isSubregion method in the Swing
| implementation in Sun Java SE 6 before Update 15 allows
| context-dependent attackers to cause a denial of service
| (NullPointerException in the Jemmy library) via unknown vectors.

CVE-2009-3728[5]:
| Directory traversal vulnerability in the ICC_Profile.getInstance
| method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before
| Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers
| to determine the existence of local International Color Consortium
| (ICC) profile files via a .. (dot dot) in a pathname, aka Bug Id
| 6631533.

CVE-2009-3729[6]:
| Unspecified vulnerability in the TrueType font parsing functionality
| in Sun Java SE 5.0 before Update 22 and 6 before Update 17 allows
| remote attackers to cause a denial of service (application crash) via
| a certain test suite, aka Bug Id 6815780.

CVE-2009-3865[7]:
| The launch method in the Deployment Toolkit plugin in Java Runtime
| Environment (JRE) in Sun Java SE in JDK and JRE 6 before Update 17
| allows remote attackers to execute arbitrary commands via a crafted
| web page, aka Bug Id 6869752.

CVE-2009-3866[8]:
| The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before
| Update 17 does not properly use security model permissions when
| removing installer extensions, which allows remote attackers to
| execute arbitrary code by modifying a certain JNLP file to have a URL
| field that points to an unintended trusted application, aka Bug Id
| 6872824.

CVE-2009-3867[9]:
| Stack-based buffer overflow in the HsbParser.getSoundBank function in
| Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before
| Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x
| before 1.4.2_24 allows remote attackers to execute arbitrary code via
| a long file: URL in an argument, aka Bug Id 6854303.

CVE-2009-3868[10]:
| Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before
| Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x
| before 1.4.2_24 does not properly parse color profiles, which allows
| remote attackers to gain privileges via a crafted image file, aka Bug
| Id 6862970.

CVE-2009-3869[11]:
| Stack-based buffer overflow in the setDiffICM function in the Abstract
| Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE
| in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17,
| SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before
| 1.4.2_24 allows remote attackers to execute arbitrary code via a
| crafted argument, aka Bug Id 6872357.

CVE-2009-3870[12]:
| ** REJECT **
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-3870.  Reason:
| This candidate is a duplicate of CVE-2008-3870.  A typo caused the
| wrong ID to be used.  Notes: All CVE users should reference
| CVE-2008-3870 instead of this candidate.  All references and
| descriptions in this candidate have been removed to prevent accidental
| usage.

CVE-2009-3871[13]:
| Heap-based buffer overflow in the setBytePixels function in the
| Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun
| Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before
| Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x
| before 1.4.2_24 allows remote attackers to execute arbitrary code via
| crafted arguments, aka Bug Id 6872358.

CVE-2009-3872[14]:
| Unspecified vulnerability in the JPEG JFIF Decoder in Sun Java SE in
| JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK
| and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24
| allows remote attackers to gain privileges via a crafted image file,
| aka Bug Id 6862969.

CVE-2009-3873[15]:
| The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update
| 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before
| 1.4.2_24 allows remote attackers to gain privileges via a crafted
| image file, related to a "quantization problem," aka Bug Id 6862968.

CVE-2009-3874[16]:
| Integer overflow in the JPEGImageReader implementation in the ImageI/O
| component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and
| JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows
| remote attackers to execute arbitrary code via large subsample
| dimensions in a JPEG file that triggers a heap-based buffer overflow,
| aka Bug Id 6874643.

CVE-2009-3875[17]:
| The MessageDigest.isEqual function in Java Runtime Environment (JRE)
| in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6
| before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE
| 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based
| digital signatures, and possibly bypass authentication, via
| unspecified vectors related to "timing attack vulnerabilities," aka
| Bug Id 6863503.

CVE-2009-3876[18]:
| Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before
| Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before
| 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote
| attackers to cause a denial of service (memory consumption) via
| crafted DER encoded data, which is not properly decoded by the ASN.1
| DER input stream parser, aka Bug Id 6864911.

CVE-2009-3877[19]:
| Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before
| Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before
| 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote
| attackers to cause a denial of service (memory consumption) via
| crafted HTTP headers, which are not properly parsed by the ASN.1 DER
| input stream parser, aka Bug Id 6864911.

CVE-2009-3878[20]:
| Buffer overflow in Sun Java System Web Server 7.0 Update 6 has
| unspecified impact and remote attack vectors, as demonstrated by the
| vd_sjws module in VulnDisco Pack Professional 8.12.  NOTE: as of
| 20091105, this disclosure has no actionable information. However,
| because the VulnDisco Pack author is a reliable researcher, the issue
| is being assigned a CVE identifier for tracking purposes.

CVE-2009-3879[21]:
| Multiple unspecified vulnerabilities in the (1) X11 and (2)
| Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22 and
| 6 before Update 17, and OpenJDK, have unknown impact and attack
| vectors, related to failure to clone arrays that are returned by the
| getConfigurations function, aka Bug Id 6822057.

CVE-2009-3880[22]:
| The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in
| Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
| does not properly restrict the objects that may be sent to loggers,
| which allows attackers to obtain sensitive information via vectors
| related to the implementation of Component, KeyboardFocusManager, and
| DefaultKeyboardFocusManager, aka Bug Id 6664512.

CVE-2009-3881[23]:
| Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
| does not prevent the existence of children of a resurrected
| ClassLoader, which allows remote attackers to gain privileges via
| unspecified vectors, related to an "information leak vulnerability,"
| aka Bug Id 6636650.

CVE-2009-3882[24]:
| Multiple unspecified vulnerabilities in the Swing implementation in
| Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
| have unknown impact and remote attack vectors, related to "information
| leaks in mutable variables," aka Bug Id 6657026.

CVE-2009-3883[25]:
| Multiple unspecified vulnerabilities in the Windows Pluggable Look and
| Feel (PL&F) feature in the Swing implementation in Sun Java SE 5.0
| before Update 22 and 6 before Update 17, and OpenJDK, have unknown
| impact and remote attack vectors, related to "information leaks in
| mutable variables," aka Bug Id 6657138.

CVE-2009-3884[26]:
| The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22
| and 6 before Update 17, and OpenJDK, allows remote attackers to
| determine the existence of local files via vectors related to handling
| of zoneinfo (aka tz) files, aka Bug Id 6824265.

CVE-2009-3885[27]:
| Sun Java SE 5.0 before Update 22 and 6 before Update 17 on Windows
| allows remote attackers to cause a denial of service via a BMP file
| containing a link to a UNC share pathname for an International Color
| Consortium (ICC) profile file, probably a related issue to
| CVE-2007-2789, aka Bug Id 6632445.

CVE-2009-3886[28]:
| The Java Web Start implementation in Sun Java SE 6 before Update 17
| does not properly handle the interaction between a signed JAR file and
| a JNLP (1) application or (2) applet, which has unspecified impact and
| attack vectors, related to a "regression," aka Bug Id 6870531.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
    http://security-tracker.debian.org/tracker/CVE-2009-2716
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2717
    http://security-tracker.debian.org/tracker/CVE-2009-2717
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
    http://security-tracker.debian.org/tracker/CVE-2009-2718
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
    http://security-tracker.debian.org/tracker/CVE-2009-2719
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
    http://security-tracker.debian.org/tracker/CVE-2009-2720
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728
    http://security-tracker.debian.org/tracker/CVE-2009-3728
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729
    http://security-tracker.debian.org/tracker/CVE-2009-3729
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865
    http://security-tracker.debian.org/tracker/CVE-2009-3865
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866
    http://security-tracker.debian.org/tracker/CVE-2009-3866
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867
    http://security-tracker.debian.org/tracker/CVE-2009-3867
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868
    http://security-tracker.debian.org/tracker/CVE-2009-3868
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869
    http://security-tracker.debian.org/tracker/CVE-2009-3869
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3870
    http://security-tracker.debian.org/tracker/CVE-2009-3870
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871
    http://security-tracker.debian.org/tracker/CVE-2009-3871
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872
    http://security-tracker.debian.org/tracker/CVE-2009-3872
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873
    http://security-tracker.debian.org/tracker/CVE-2009-3873
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874
    http://security-tracker.debian.org/tracker/CVE-2009-3874
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875
    http://security-tracker.debian.org/tracker/CVE-2009-3875
[18] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876
    http://security-tracker.debian.org/tracker/CVE-2009-3876
[19] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877
    http://security-tracker.debian.org/tracker/CVE-2009-3877
[20] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3878
    http://security-tracker.debian.org/tracker/CVE-2009-3878
[21] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879
    http://security-tracker.debian.org/tracker/CVE-2009-3879
[22] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880
    http://security-tracker.debian.org/tracker/CVE-2009-3880
[23] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881
    http://security-tracker.debian.org/tracker/CVE-2009-3881
[24] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882
    http://security-tracker.debian.org/tracker/CVE-2009-3882
[25] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883
    http://security-tracker.debian.org/tracker/CVE-2009-3883
[26] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884
    http://security-tracker.debian.org/tracker/CVE-2009-3884
[27] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885
    http://security-tracker.debian.org/tracker/CVE-2009-3885
[28] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886
    http://security-tracker.debian.org/tracker/CVE-2009-3886