Bug 242595 (CVE-2007-3004)

Summary: CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://scary.beasts.org/security/CESA-2006-004.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:29:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 233686, 250773, 250774, 250776, 250777, 250974, 250975, 251133, 251151, 251152, 251313, 251314, 417931    
Bug Blocks:    
Attachments:
Description Flags
A simple Java program that utilizes ImageIO
none
A JPEG file with crafted ICC profile that cause a integer overflow in Java VM
none
A crafted BMP file that makes Java VM sleep on read from /dev/tty none

Description Lubomir Kundrak 2007-06-04 23:24:02 UTC 
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1
describes two flaws:

1.) Java VM crashes with an evidence of a memory corruption.

The researcher that found this bug states that the crash "is caused by a
buffer overflow subsequent to an integer overflow, so it is likely
exploitable to cause arbitrary code execution on many platforms."

Reproducible with our current java 1.5.0:

$ java ImgReader badicc.jpg
*** glibc detected *** /usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/java:
malloc(): memory corruption: 0x000000000054bfa0 ***
Segmentation fault (core dumped)
$

2.) Java VM hangs

The researcher reports that a crafted bmp file can make Java VM attempt
to read from /dev/tty.

Reproducible with our current 1.5.0:

$ strace java ImgReader evil2.bmp 
...
open("/dev/tty", O_RDONLY)              = 50
fstat(50, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
read(50,

The reproducer for both issue are attached to this bug report.
Comment 1 Lubomir Kundrak 2007-06-04 23:24:02 UTC 
Created attachment 156157 [details]
A simple Java program that utilizes ImageIO
Comment 2 Lubomir Kundrak 2007-06-04 23:27:08 UTC 
Created attachment 156159 [details]
A JPEG file with crafted ICC profile that cause a integer overflow in Java VM
Comment 3 Lubomir Kundrak 2007-06-04 23:29:08 UTC 
Created attachment 156160 [details]
A crafted BMP file that makes Java VM sleep on read from /dev/tty
Comment 5 Lubomir Kundrak 2007-06-04 23:39:18 UTC 
The first issue is CVE-2007-3004, the second one is CVE-2007-3005
Comment 15 Mark J. Cox 2008-01-03 13:55:37 UTC 
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2788.
Reason: This candidate is a duplicate of CVE-2007-2788. Notes: All CVE users
should reference CVE-2007-2788 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental usage.
Comment 17 Red Hat Bugzilla 2009-10-23 19:05:08 UTC 
Reporter changed to security-response-team by request of Jay Turner.