Bug 1857172 (CVE-2020-14581) - CVE-2020-14581 OpenJDK: Information disclosure in color management (2D, 8238002)
Summary: CVE-2020-14581 OpenJDK: Information disclosure in color management (2D, 8238002)
Alias: CVE-2020-14581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1838813
TreeView+ depends on / blocked
Reported: 2020-07-15 10:33 UTC by Tomas Hoger
Modified: 2020-08-04 15:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-07-15 13:27:40 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2020-07-15 10:33:16 UTC
A flaw was found in the color management code in the 2D component of OpenJDK.  A specially-crafted image file could cause a Java application to disclose portion of its memory.

Comment 1 Tomas Hoger 2020-07-15 10:35:27 UTC
Public now via Oracle CPU July 2020:


Fixed in Oracle Java SE 14.0.2, 11.0.8, and 8u261.

Comment 2 Tomas Hoger 2020-07-15 10:45:11 UTC
OpenJDK-11 upstream commit:

OpenJDK-8 upstream commit:

Comment 3 Product Security DevOps Team 2020-07-15 13:27:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 4 Tomas Hoger 2020-08-04 15:51:43 UTC
The fix for this CVE affects the code of the LittleCMS / lcms project that is embedded in the OpenJDK sources.  The patch consists of two parts:

- Increase of the Colorant[] buffer size in the WriteNamedColorCRD() function.
- A change of compiler flags to work around Xcode / clang bug on MacOS.

The Colorant[] buffer size increase was applied to the LittleCMS upstream code via the following pull request and commit:


While the fix there is described as buffer overflow fix, the further analysis of the code showed that the overflow was not actually possible because of what data gets stored in the buffer.  Hence that part of the OpenJDK commit does not have any security impact.

The other part of the OpenJDK commit has to be relevant to this CVE.  However, as that problems is specific to MacOS builds of OpenJDK, it does not affect any OpenJDK packages distributed by Red Hat.

Note You need to log in before you can comment on or make changes to this bug.