LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu alert USN-1521-1 (icedtea-web)



From:
    	      Steve Beattie <sbeattie@ubuntu.com> 


To:
    	      ubuntu-security-announce@lists.ubuntu.com 


Subject:
    	      [USN-1521-1] IcedTea-Web vulnerabilities 


Date:
    	      Tue, 31 Jul 2012 15:33:25 -0700


Message-ID:
    	      <20120731223325.GB3986@nxnw.org>


Archive-link:
    	      Article, Thread
              


==========================================================================
Ubuntu Security Notice USN-1521-1
July 31, 2012

icedtea-web vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

The IcedTea-Web Java web browser plugin could be made to crash or
possibly run programs as your login if it opened a specially crafted
applet.

Software Description:
- icedtea-web: A web browser plugin to execute Java applets

Details:

Chamal De Silva discovered that the IcedTea-Web Java web browser
plugin could dereference an uninitialized pointer. A remote attacker
could use this to craft a malicious web page that could cause a
denial of service by crashing the web browser or possibly execute
arbitrary code. (CVE-2012-3422)

Steven Bergom and others discovered that the IcedTea-Web Java web
browser plugin assumed that all strings provided by browsers are NULL
terminated, which is not guaranteed by the NPAPI (Netscape Plugin
Application Programming Interface). A remote attacker could use this
to craft a malicious Java applet that could cause a denial of service
by crashing the web browser, expose sensitive information or possibly
execute arbitrary code. (CVE-2012-3423)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
  icedtea-6-plugin                1.2-2ubuntu1.1
  icedtea-7-plugin                1.2-2ubuntu1.1

Ubuntu 11.10:
  icedtea-6-plugin                1.2-2ubuntu0.11.10.2

Ubuntu 11.04:
  icedtea-6-plugin                1.2-2ubuntu0.11.04.2

Ubuntu 10.04 LTS:
  icedtea-6-plugin                1.2-2ubuntu0.10.04.2

After a standard system update you need to restart your web browser to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1521-1
  CVE-2012-3422, CVE-2012-3423

Package Information:
  https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubu...
  https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubu...
  https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubu...
  https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubu...

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds