Bug 242595 (CVE-2007-3004) - CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser
Summary: CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-3004
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://scary.beasts.org/security/CESA...
Whiteboard:
Depends On: 233686 250773 250774 250776 250777 250974 250975 251133 251151 251152 251313 251314 417931
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-04 23:24 UTC by Red Hat Product Security
Modified: 2019-09-29 12:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:29:01 UTC
Embargoed:


Attachments (Terms of Use)
A simple Java program that utilizes ImageIO (657 bytes, text/x-java)
2007-06-04 23:24 UTC, Lubomir Kundrak
no flags Details
A JPEG file with crafted ICC profile that cause a integer overflow in Java VM (4.62 KB, application/octet-stream)
2007-06-04 23:27 UTC, Lubomir Kundrak
no flags Details
A crafted BMP file that makes Java VM sleep on read from /dev/tty (264 bytes, application/octet-stream)
2007-06-04 23:29 UTC, Lubomir Kundrak
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0817 0 normal SHIPPED_LIVE Critical: java-1.4.2-ibm security update 2007-08-06 16:00:46 UTC
Red Hat Product Errata RHSA-2007:0829 0 normal SHIPPED_LIVE Critical: java-1.5.0-ibm security update 2007-08-07 19:36:59 UTC
Red Hat Product Errata RHSA-2007:0956 0 normal SHIPPED_LIVE Moderate: java-1.5.0-bea security update 2007-10-16 07:08:21 UTC
Red Hat Product Errata RHSA-2007:1086 0 normal SHIPPED_LIVE Moderate: java-1.4.2-bea security update 2007-12-12 12:27:35 UTC
Red Hat Product Errata RHSA-2008:0133 0 normal SHIPPED_LIVE Moderate: IBMJava2 security update 2008-06-24 09:07:10 UTC

Description Lubomir Kundrak 2007-06-04 23:24:02 UTC
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1
describes two flaws:

1.) Java VM crashes with an evidence of a memory corruption.

The researcher that found this bug states that the crash "is caused by a
buffer overflow subsequent to an integer overflow, so it is likely
exploitable to cause arbitrary code execution on many platforms."

Reproducible with our current java 1.5.0:

$ java ImgReader badicc.jpg
*** glibc detected *** /usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/java:
malloc(): memory corruption: 0x000000000054bfa0 ***
Segmentation fault (core dumped)
$

2.) Java VM hangs

The researcher reports that a crafted bmp file can make Java VM attempt
to read from /dev/tty.

Reproducible with our current 1.5.0:

$ strace java ImgReader evil2.bmp 
...
open("/dev/tty", O_RDONLY)              = 50
fstat(50, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
read(50,

The reproducer for both issue are attached to this bug report.

Comment 1 Lubomir Kundrak 2007-06-04 23:24:02 UTC
Created attachment 156157 [details]
A simple Java program that utilizes ImageIO

Comment 2 Lubomir Kundrak 2007-06-04 23:27:08 UTC
Created attachment 156159 [details]
A JPEG file with crafted ICC profile that cause a integer overflow in Java VM

Comment 3 Lubomir Kundrak 2007-06-04 23:29:08 UTC
Created attachment 156160 [details]
A crafted BMP file that makes Java VM sleep on read from /dev/tty

Comment 5 Lubomir Kundrak 2007-06-04 23:39:18 UTC
The first issue is CVE-2007-3004, the second one is CVE-2007-3005

Comment 15 Mark J. Cox 2008-01-03 13:55:37 UTC
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2788.
Reason: This candidate is a duplicate of CVE-2007-2788. Notes: All CVE users
should reference CVE-2007-2788 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental usage.

Comment 17 Red Hat Bugzilla 2009-10-23 19:05:08 UTC
Reporter changed to security-response-team by request of Jay Turner.


Note You need to log in before you can comment on or make changes to this bug.