Bug 1857172 (CVE-2020-14581)

Summary: CVE-2020-14581 OpenJDK: Information disclosure in color management (2D, 8238002)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahughes, jvanek, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-15 13:27:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1838813    

Description Tomas Hoger 2020-07-15 10:33:16 UTC 
A flaw was found in the color management code in the 2D component of OpenJDK.  A specially-crafted image file could cause a Java application to disclose portion of its memory.
Comment 1 Tomas Hoger 2020-07-15 10:35:27 UTC 
Public now via Oracle CPU July 2020:

https://www.oracle.com/security-alerts/cpujul2020.html#AppendixJAVA

Fixed in Oracle Java SE 14.0.2, 11.0.8, and 8u261.
Comment 2 Tomas Hoger 2020-07-15 10:45:11 UTC 
OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/917fdf37c538

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/29ec8fdd7b86
Comment 3 Product Security DevOps Team 2020-07-15 13:27:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14581
Comment 4 Tomas Hoger 2020-08-04 15:51:43 UTC 
The fix for this CVE affects the code of the LittleCMS / lcms project that is embedded in the OpenJDK sources.  The patch consists of two parts:

- Increase of the Colorant[] buffer size in the WriteNamedColorCRD() function.
- A change of compiler flags to work around Xcode / clang bug on MacOS.

The Colorant[] buffer size increase was applied to the LittleCMS upstream code via the following pull request and commit:

https://github.com/mm2/Little-CMS/pull/186
https://github.com/mm2/Little-CMS/commit/d1fcbdc6bcdd50432ae95e9c6f83e79338f87690

While the fix there is described as buffer overflow fix, the further analysis of the code showed that the overflow was not actually possible because of what data gets stored in the buffer.  Hence that part of the OpenJDK commit does not have any security impact.

The other part of the OpenJDK commit has to be relevant to this CVE.  However, as that problems is specific to MacOS builds of OpenJDK, it does not affect any OpenJDK packages distributed by Red Hat.