From Mageia wiki
Jump to: navigation, search

MGASA-2012-0198

Date: August 3rd, 2012
Affected releases: 1, 2


Description:
Updated icedtea-web packages fix security vulnerabilities:

An uninitialized pointer use flaw was found in the IcedTea-Web plug-in.
Visiting a malicious web page could possibly cause a web browser using
the IcedTea-Web plug-in to crash, disclose a portion of its memory, or
execute arbitrary code (CVE-2012-3422).

It was discovered that the IcedTea-Web plug-in incorrectly assumed all
strings received from the browser were NUL terminated. When using the
plug-in with a web browser that does not NUL terminate strings, visiting
a web page containing a Java applet could possibly cause the browser to
crash, disclose a portion of its memory, or execute arbitrary code
(CVE-2012-3423).


Updated Packages:
Mageia 1:
icedtea-web-1.1.6-1.mga1
icedtea-web-javadoc-1.1.6-1.mga1

Mageia 2:
icedtea-web-1.2.1-1.mga2
icedtea-web-javadoc-1.2.1-1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3423
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-July/019580.html
https://rhn.redhat.com/errata/RHSA-2012-1132.html
https://bugs.mageia.org/show_bug.cgi?id=6930