1150118 – (CVE-2014-6513) CVE-2014-6513 OpenJDK: splash image handling memory corruption (AWT, 8042609)

Bug 1150118 (CVE-2014-6513) - CVE-2014-6513 OpenJDK: splash image handling memory corruption (AWT, 8042609)

Summary: CVE-2014-6513 OpenJDK: splash image handling memory corruption (AWT, 8042609)

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-6513
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1148726
TreeView+	depends on / blocked

Reported:	2014-10-07 13:18 UTC by Tomas Hoger
Modified:	2021-02-17 06:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-07 13:48:54 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2014-10-07 13:18:11 UTC

A flaw was found in the way the AWT component of OpenJDK handled splash screen images.  A specially crafted image could possibly cause JVM memory corruption.  A malicious Java application or applet could use this flaw to execute arbitrary code with JVM privileges, bypassing Java sandbox restrictions.

This issue affected native code for Windows platform.  Linux builds of OpenJDK do not use the affected code and are unaffected by this issue.

Comment 1 Tomas Hoger 2014-10-07 13:48:54 UTC

Statement:

Not vulnerable. This issue did not affect the versions of OpenJDK as shipped with Red Hat Enterprise Linux.

Comment 2 Tomas Hoger 2014-10-14 20:29:34 UTC

Public now via Oracle Critical Patch Update - October 2014.  Fixed in Oracle Java SE 6u85, 7u71, and 8u25.

External References:

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixJAVA

Note You need to log in before you can comment on or make changes to this bug.