Bug 1857172 (CVE-2020-14581) - CVE-2020-14581 OpenJDK: Information disclosure in color management (2D, 8238002)
Summary: CVE-2020-14581 OpenJDK: Information disclosure in color management (2D, 8238002)
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-14581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1838813
TreeView+ depends on / blocked
 
Reported: 2020-07-15 10:33 UTC by Tomas Hoger
Modified: 2020-08-04 15:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-15 13:27:40 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2020-07-15 10:33:16 UTC
A flaw was found in the color management code in the 2D component of OpenJDK.  A specially-crafted image file could cause a Java application to disclose portion of its memory.

Comment 1 Tomas Hoger 2020-07-15 10:35:27 UTC
Public now via Oracle CPU July 2020:

https://www.oracle.com/security-alerts/cpujul2020.html#AppendixJAVA

Fixed in Oracle Java SE 14.0.2, 11.0.8, and 8u261.

Comment 2 Tomas Hoger 2020-07-15 10:45:11 UTC
OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/917fdf37c538

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/29ec8fdd7b86

Comment 3 Product Security DevOps Team 2020-07-15 13:27:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14581

Comment 4 Tomas Hoger 2020-08-04 15:51:43 UTC
The fix for this CVE affects the code of the LittleCMS / lcms project that is embedded in the OpenJDK sources.  The patch consists of two parts:

- Increase of the Colorant[] buffer size in the WriteNamedColorCRD() function.
- A change of compiler flags to work around Xcode / clang bug on MacOS.

The Colorant[] buffer size increase was applied to the LittleCMS upstream code via the following pull request and commit:

https://github.com/mm2/Little-CMS/pull/186
https://github.com/mm2/Little-CMS/commit/d1fcbdc6bcdd50432ae95e9c6f83e79338f87690

While the fix there is described as buffer overflow fix, the further analysis of the code showed that the overflow was not actually possible because of what data gets stored in the buffer.  Hence that part of the OpenJDK commit does not have any security impact.

The other part of the OpenJDK commit has to be relevant to this CVE.  However, as that problems is specific to MacOS builds of OpenJDK, it does not affect any OpenJDK packages distributed by Red Hat.


Note You need to log in before you can comment on or make changes to this bug.