Red Hat Bugzilla – Bug 472233
CVE-2008-5352 OpenJDK Jar200 Decompression buffer overflow (6755943)
Last modified: 2015-08-22 12:40:13 EDT
Reference: IDEFENSE:20081204 Sun Java JRE Pack200 Decompression Integer Overflow Vulnerability
Integer overflow in the JAR unpacking utility (unpack200) in the
unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun
JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and
earlier, allows untrusted applications and applets to gain privileges
via a Pack200 compressed JAR file that triggers a heap-based buffer
java-1.6.0-openjdk-18.104.22.168-0.20.b09.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-22.214.171.124-7.b12.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Another mention of this issue:
http://secunia.com/advisories/32991/ (Point 15) ).
This issue has been addressed in following products:
Red Hat Network Satellite Server v 5.2
Via RHSA-2009:0466 https://rhn.redhat.com/errata/RHSA-2009-0466.html