LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

icedtea-web: code execution

Package(s):icedtea-web CVE #(s):CVE-2012-3422 CVE-2012-3423
Created:August 1, 2012 Updated:September 24, 2012
Description: From the Red Hat advisory:

An uninitialized pointer use flaw was found in the IcedTea-Web plug-in. Visiting a malicious web page could possibly cause a web browser using the IcedTea-Web plug-in to crash, disclose a portion of its memory, or execute arbitrary code. (CVE-2012-3422)

It was discovered that the IcedTea-Web plug-in incorrectly assumed all strings received from the browser were NUL terminated. When using the plug-in with a web browser that does not NUL terminate strings, visiting a web page containing a Java applet could possibly cause the browser to crash, disclose a portion of its memory, or execute arbitrary code. (CVE-2012-3423)

Alerts:
Red Hat RHSA-2012:1132-01 2012-07-31
CentOS CESA-2012:1132 2012-07-31
Oracle ELSA-2012-1132 2012-07-31
Scientific Linux SL-iced-20120801 2012-08-01
Ubuntu USN-1521-1 2012-07-31
Mandriva MDVSA-2012:122 2012-08-02
Mageia MGASA-2012-0198 2012-08-03
SUSE SUSE-SU-2012:0979-1 2012-08-09
openSUSE openSUSE-SU-2012:0981-1 2012-08-10
openSUSE openSUSE-SU-2012:0982-1 2012-08-13
Fedora FEDORA-2012-14316 2012-09-21
Fedora FEDORA-2012-14340 2012-09-21
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds