Articles / Ubuntu: Security update for…

Ubuntu: Security update for OpenJDK

It was discovered that multiple flaws existed in the CORBA (Common Object Request Broker Architecture) implementation in OpenJDK. An attacker could create a Java application or applet that used these flaws to bypass Java sandbox restrictions or modify immutable object data. It was discovered that multiple flaws existed in the OpenJDK font manager’s layout lookup implementation. A attacker could specially craft a font file that could cause a denial of service through crashing the JVM (Java Virtual Machine) or possibly execute arbitrary code. It was discovered that the SynthLookAndFeel class from Swing in OpenJDK did not properly prevent access to certain UI elements from outside the current application context. An attacker could create a Java application or applet that used this flaw to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions.

It was discovered that OpenJDK runtime library classes could create temporary files with insecure permissions. A local attacker could use this to gain access to sensitive information. It was discovered that OpenJDK did not handle CRLs (Certificate Revocation Lists) properly. A remote attacker could use this to gain access to sensitive information. It was discovered that the OpenJDK HotSpot Virtual Machine did not properly verify the bytecode of the class to be executed. A remote attacker could create a Java application or applet that used this to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions.

It was discovered that the OpenJDK XML (Extensible Markup Language) parser did not properly handle some XML documents. An attacker could create an XML document that caused a denial of service in a Java application or applet parsing the document.

Updated packages are available from security.ubuntu.com.

==========================================================================
Ubuntu Security Notice USN-1505-1
July 13, 2012

icedtea-web, openjdk-6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in OpenJDK 6.

Software Description:
- openjdk-6: Open Source Java implementation
- icedtea-web: A web browser plugin to execute Java applets

Details:

It was discovered that multiple flaws existed in the CORBA (Common
Object Request Broker Architecture) implementation in OpenJDK. An
attacker could create a Java application or applet that used these
flaws to bypass Java sandbox restrictions or modify immutable object
data. (CVE-2012-1711, CVE-2012-1719)

It was discovered that multiple flaws existed in the OpenJDK font
manager's layout lookup implementation. A attacker could specially
craft a font file that could cause a denial of service through
crashing the JVM (Java Virtual Machine) or possibly execute arbitrary
code. (CVE-2012-1713)

It was discovered that the SynthLookAndFeel class from Swing in
OpenJDK did not properly prevent access to certain UI elements
from outside the current application context. An attacker could
create a Java application or applet that used this flaw to cause a
denial of service through crashing the JVM or bypass Java sandbox
restrictions. (CVE-2012-1716)

It was discovered that OpenJDK runtime library classes could create
temporary files with insecure permissions. A local attacker could
use this to gain access to sensitive information. (CVE-2012-1717)

It was discovered that OpenJDK did not handle CRLs (Certificate
Revocation Lists) properly. A remote attacker could use this to gain
access to sensitive information. (CVE-2012-1718)

It was discovered that the OpenJDK HotSpot Virtual Machine did not
properly verify the bytecode of the class to be executed. A remote
attacker could create a Java application or applet that used this
to cause a denial of service through crashing the JVM or bypass Java
sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)

It was discovered that the OpenJDK XML (Extensible Markup Language)
parser did not properly handle some XML documents. An attacker could
create an XML document that caused a denial of service in a Java
application or applet parsing the document. (CVE-2012-1724)

As part of this update, the IcedTea web browser applet plugin was
updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
 openjdk-6-jre                   6b24-1.11.3-1ubuntu0.12.04.1

Ubuntu 11.10:
 icedtea-6-plugin                1.2-2ubuntu0.11.10.1
 openjdk-6-jre                   6b24-1.11.3-1ubuntu0.11.10.1

Ubuntu 11.04:
 icedtea-6-plugin                1.2-2ubuntu0.11.04.1
 openjdk-6-jre                   6b24-1.11.3-1ubuntu0.11.04.1

Ubuntu 10.04 LTS:
 icedtea-6-plugin                1.2-2ubuntu0.10.04.1
 openjdk-6-jre                   6b24-1.11.3-1ubuntu0.10.04.1

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References:
 http://www.ubuntu.com/usn/usn-1505-1
 CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,
 CVE-2012-1718, CVE-2012-1719, CVE-2012-1723, CVE-2012-1724,
 CVE-2012-1725

Package Information:
 https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.12.04.1
 https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.1
 https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.10.1
 https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.1
 https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.04.1
 https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.10.04.1
 https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.10.04.1
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.