LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

icedtea-web: code execution

Package(s):icedtea-web CVE #(s):CVE-2012-3422 CVE-2012-3423
Created:August 1, 2012 Updated:September 24, 2012
Description: From the Red Hat advisory:

An uninitialized pointer use flaw was found in the IcedTea-Web plug-in. Visiting a malicious web page could possibly cause a web browser using the IcedTea-Web plug-in to crash, disclose a portion of its memory, or execute arbitrary code. (CVE-2012-3422)

It was discovered that the IcedTea-Web plug-in incorrectly assumed all strings received from the browser were NUL terminated. When using the plug-in with a web browser that does not NUL terminate strings, visiting a web page containing a Java applet could possibly cause the browser to crash, disclose a portion of its memory, or execute arbitrary code. (CVE-2012-3423)

Alerts:
Red Hat RHSA-2012:1132-01 2012-07-31
CentOS CESA-2012:1132 2012-07-31
Oracle ELSA-2012-1132 2012-07-31
Scientific Linux SL-iced-20120801 2012-08-01
Ubuntu USN-1521-1 2012-07-31
Mandriva MDVSA-2012:122 2012-08-02
Mageia MGASA-2012-0198 2012-08-03
SUSE SUSE-SU-2012:0979-1 2012-08-09
openSUSE openSUSE-SU-2012:0981-1 2012-08-10
openSUSE openSUSE-SU-2012:0982-1 2012-08-13
Fedora FEDORA-2012-14316 2012-09-21
Fedora FEDORA-2012-14340 2012-09-21
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds