http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1 describes two flaws: 1.) Java VM crashes with an evidence of a memory corruption. The researcher that found this bug states that the crash "is caused by a buffer overflow subsequent to an integer overflow, so it is likely exploitable to cause arbitrary code execution on many platforms." Reproducible with our current java 1.5.0: $ java ImgReader badicc.jpg *** glibc detected *** /usr/lib/jvm/java-1.5.0-ibm-1.5.0.5/jre/bin/java: malloc(): memory corruption: 0x000000000054bfa0 *** Segmentation fault (core dumped) $ 2.) Java VM hangs The researcher reports that a crafted bmp file can make Java VM attempt to read from /dev/tty. Reproducible with our current 1.5.0: $ strace java ImgReader evil2.bmp ... open("/dev/tty", O_RDONLY) = 50 fstat(50, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0 read(50, The reproducer for both issue are attached to this bug report.
Created attachment 156157 [details] A simple Java program that utilizes ImageIO
Created attachment 156159 [details] A JPEG file with crafted ICC profile that cause a integer overflow in Java VM
Created attachment 156160 [details] A crafted BMP file that makes Java VM sleep on read from /dev/tty
The first issue is CVE-2007-3004, the second one is CVE-2007-3005
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2788. Reason: This candidate is a duplicate of CVE-2007-2788. Notes: All CVE users should reference CVE-2007-2788 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Reporter changed to security-response-team by request of Jay Turner.