Bug 1018761 (CVE-2013-5805, CVE-2013-5806)

Summary: CVE-2013-5805 CVE-2013-5806 OpenJDK: insufficient access checks in MacOS code (Swing, 8021275, 8021282)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-16 07:52:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1017632    

Description Tomas Hoger 2013-10-14 11:41:44 UTC 
Multiple access control checks problems were found in the Swing component code for MacOS platform. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
Comment 1 Tomas Hoger 2013-10-14 11:43:52 UTC 
These issues are in the MacOSX specific code and do not affect Linux.

Statement:

Not vulnerable. This issue did not affect the versions of Java as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 2 Stefan Cornelius 2013-10-16 06:32:18 UTC 
External References:

http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
Comment 3 Tomas Hoger 2013-10-16 07:52:38 UTC 
OpenJDK upstream commits:

CVE-2013-5805 http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/ff72fefa5b8c
CVE-2013-5806 http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/5787121ada85
Comment 4 Tomas Hoger 2013-10-16 08:00:14 UTC 
Fixed in Oracle Java SE 7u45.