Bug 242595 - (CVE-2007-3004) CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser
CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://scary.beasts.org/security/CESA...
reported=20070504,source=cve,public=2...
: Security
Depends On: 233686 250773 250774 250776 250777 250974 250975 251133 251151 251152 251313 251314 417931
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-04 19:24 EDT by Red Hat Product Security
Modified: 2016-03-04 05:57 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 12:29:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A simple Java program that utilizes ImageIO (657 bytes, text/x-java)
2007-06-04 19:24 EDT, Lubomir Kundrak
no flags Details
A JPEG file with crafted ICC profile that cause a integer overflow in Java VM (4.62 KB, application/octet-stream)
2007-06-04 19:27 EDT, Lubomir Kundrak
no flags Details
A crafted BMP file that makes Java VM sleep on read from /dev/tty (264 bytes, application/octet-stream)
2007-06-04 19:29 EDT, Lubomir Kundrak
no flags Details

  None (edit)
Description Lubomir Kundrak 2007-06-04 19:24:02 EDT
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1
describes two flaws:

1.) Java VM crashes with an evidence of a memory corruption.

The researcher that found this bug states that the crash "is caused by a
buffer overflow subsequent to an integer overflow, so it is likely
exploitable to cause arbitrary code execution on many platforms."

Reproducible with our current java 1.5.0:

$ java ImgReader badicc.jpg
*** glibc detected *** /usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/java:
malloc(): memory corruption: 0x000000000054bfa0 ***
Segmentation fault (core dumped)
$

2.) Java VM hangs

The researcher reports that a crafted bmp file can make Java VM attempt
to read from /dev/tty.

Reproducible with our current 1.5.0:

$ strace java ImgReader evil2.bmp 
...
open("/dev/tty", O_RDONLY)              = 50
fstat(50, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
read(50,

The reproducer for both issue are attached to this bug report.
Comment 1 Lubomir Kundrak 2007-06-04 19:24:02 EDT
Created attachment 156157 [details]
A simple Java program that utilizes ImageIO
Comment 2 Lubomir Kundrak 2007-06-04 19:27:08 EDT
Created attachment 156159 [details]
A JPEG file with crafted ICC profile that cause a integer overflow in Java VM
Comment 3 Lubomir Kundrak 2007-06-04 19:29:08 EDT
Created attachment 156160 [details]
A crafted BMP file that makes Java VM sleep on read from /dev/tty
Comment 5 Lubomir Kundrak 2007-06-04 19:39:18 EDT
The first issue is CVE-2007-3004, the second one is CVE-2007-3005
Comment 15 Mark J. Cox (Product Security) 2008-01-03 08:55:37 EST
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2788.
Reason: This candidate is a duplicate of CVE-2007-2788. Notes: All CVE users
should reference CVE-2007-2788 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental usage.
Comment 17 Red Hat Bugzilla 2009-10-23 15:05:08 EDT
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Note You need to log in before you can comment on or make changes to this bug.