openjdk team mailing list archive

Thread
Date

Bug#612660: openjdk-6: CVE-2010-4476 Trivial DoS when parsing strings into Java Double objects

To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
From: Jonathan Wiltshire <jmw@xxxxxxxxxx>
Date: Wed, 09 Feb 2011 19:42:13 -0000
Delivered-to: submit@xxxxxxxxxxxxxxx
Reply-to: Jonathan Wiltshire <jmw@xxxxxxxxxx>, 612660@xxxxxxxxxxxxxxx
Resent-cc: team@xxxxxxxxxxxxxxxxxxx, jmw@xxxxxxxxxx, OpenJDK Team <openjdk@xxxxxxxxxxxxxxxxxxx>
Resent-date: Wed, 09 Feb 2011 19:42:01 +0000
Resent-date: Wed, 09 Feb 2011 19:42:04 +0000
Resent-from: Jonathan Wiltshire <jmw@xxxxxxxxxx>
Resent-message-id: <handler.612660.B.1297280335410@xxxxxxxxxxxxxxx>
Resent-sender: Debian BTS <debbugs@xxxxxxxxxxxxxxxxx>
Resent-to: debian-bugs-dist@xxxxxxxxxxxxxxxx

Package: openjdk-6
Version: 6b11-9.1+lenny2
Severity: grave
Tags: security
Justification: trivial denial of service by unauthenticated remote users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openjdk-6.

CVE-2010-4476[0]: (description from upstream announcement)
| This Security Alert addresses security issue CVE-2010-4476 (Java Runtime
| Environment hangs when converting "2.2250738585072012e-308" to a binary
| floating-point number), which is a vulnerability in the Java Runtime
| Environment component of the Oracle Java SE and Java for Business products.
| This vulnerability allows unauthenticated network attacks ( i.e. it may be
| exploited over a network without the need for a username and password).
| Successful attack of this vulnerability can result in unauthorized ability
| to cause a hang or frequently repeatable crash (complete Denial of Service)
| of the Java Runtime Environment. Java based application and web servers are
| especially at risk from this vulnerability.

In particular, there is a trivial attack involving a crafted HTTP header,
which probably affects many systems.

There is a patch available [1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
    http://security-tracker.debian.org/tracker/CVE-2010-4476

[1] http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html


- -- System Information:
Debian Release: 6.0
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNUu1AAAoJEFOUR53TUkxRcWAP/iMKvgancaw2RdctEZY54qKX
9W7MdhosFyeP4BAwtHUrge1SeRO9FzTitXXuAXEOcYD0nkKKnfN6c8HdqGly2TbJ
CFQXGgExyd3zuaSJwXohW9eFk983qLXokBHU0fMj0zDSIV7m3uqpo+hqQfdbQLyb
NYbDP+rfiCP+G7EisrEJjcqyMAQsxXLHhHlAmZHsgBFFc/3YbG+h/hEmoNzugfvU
ZQ+YE4GxTUBFlH5l+NjKey+r8kGrAg9A9cR2cz4+pKRCG6Li2MJGRewVy0GK92OL
ePjeKAFe0yfHTzFjKZz1FMnCeB+5341C7FpEqGdINNOet5fDjjkGPinXHAm8ysYu
en3GikXBf1xFmLhKOtpM4KgPTx6xt+zPOxY4xmQt+4xXl8WUHE9whsqWmrwtjoyh
8u9x5tXQkIK5hdHH1ZGAUBN9SoaYBc3Ml0H7h5jEilkvovqjZhTbvf8mt+LDAaBL
RUEeg1pH9UybHzpxqCdMmGABZTed+eLDxY+YvYL8IxPxLDlnHkwUPuD59lMU+l/c
OWQyYCETHIrlKVK6rTMkycJbpHryGxWb54XPWJ0oG/egXL1Rujm6njfnwEqXkKMk
y6pmAYjEDxs8VTnkeUjRiEbs9TIOTh/mN2fQ3NsSEYvgAeHnoIDijSo8XC/N5ove
e4zN86De2nUl9G1TPxLX
=SwDF
-----END PGP SIGNATURE-----

Follow ups

Bug#612660: openjdk-6: CVE-2010-4476 Trivial DoS when parsing strings into Java Double objects
From: Torsten Werner, 2011-02-09