DescriptionLubomir Kundrak
2007-06-04 23:24:02 UTC
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1
describes two flaws:
1.) Java VM crashes with an evidence of a memory corruption.
The researcher that found this bug states that the crash "is caused by a
buffer overflow subsequent to an integer overflow, so it is likely
exploitable to cause arbitrary code execution on many platforms."
Reproducible with our current java 1.5.0:
$ java ImgReader badicc.jpg
*** glibc detected *** /usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/java:
malloc(): memory corruption: 0x000000000054bfa0 ***
Segmentation fault (core dumped)
$
2.) Java VM hangs
The researcher reports that a crafted bmp file can make Java VM attempt
to read from /dev/tty.
Reproducible with our current 1.5.0:
$ strace java ImgReader evil2.bmp
...
open("/dev/tty", O_RDONLY) = 50
fstat(50, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
read(50,
The reproducer for both issue are attached to this bug report.
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2788.
Reason: This candidate is a duplicate of CVE-2007-2788. Notes: All CVE users
should reference CVE-2007-2788 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental usage.
Comment 17Red Hat Bugzilla
2009-10-23 19:05:08 UTC
Reporter changed to security-response-team by request of Jay Turner.