MDVSA-2012:122

Package name

icedtea-web

Date

2012-08-02

Advisory ID

MDVSA-2012:122

Affected versions

MES5 i586 , 2011 i586 , MES5 x86_64 , 2011 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in
icedtea-web:

An uninitialized pointer use flaw was found in IcedTea-Web web
browser plugin. A malicious web page could use this flaw make
IcedTea-Web browser plugin pass invalid pointer to a web browser.
Depending on the browser used, it may cause the browser to crash or
possibly execute arbitrary code (CVE-2012-3422).

It was discovered that the IcedTea-Web web browser plugin incorrectly
assumed that all strings provided by browser are NUL terminated,
which is not guaranteed by the NPAPI (Netscape Plugin Application
Programming Interface). When used in a browser that does not NUL
terminate NPVariant NPStrings, this could lead to buffer over-read
or over-write, resulting in possible information leak, crash, or code
execution (CVE-2012-3423).

The updated packages have been upgraded to the 1.1.6 version which
is not affected by these issues.

Updated packages

MES5 i586

 ce92b853ce47b6eb7a528a5e7ced8c8e  mes5/i586/icedtea-web-1.1.6-0.1mdvmes5.2.i586.rpm
 4201d942d7e176ffb005ffe214a6cc54  mes5/i586/icedtea-web-javadoc-1.1.6-0.1mdvmes5.2.i586.rpm 
 dbd321e17ccb40cb40db343044b7e859  mes5/SRPMS/icedtea-web-1.1.6-0.1mdvmes5.2.src.rpm

2011 i586

 b1a6bc36b0f02e00906b217b75a48e30  2011/i586/icedtea-web-1.1.6-0.1-mdv2011.0.i586.rpm
 08a1aae3dd89b239b9d8583940c6cf06  2011/i586/icedtea-web-javadoc-1.1.6-0.1-mdv2011.0.noarch.rpm 
 b687b00289491c8e6eb6ff242305d178  2011/SRPMS/icedtea-web-1.1.6-0.1.src.rpm

MES5 x86_64

 c0ea62255a3ad326d31d3ea24496a81a  mes5/x86_64/icedtea-web-1.1.6-0.1mdvmes5.2.x86_64.rpm
 1a947f44b47f31f78626ef499214de7f  mes5/x86_64/icedtea-web-javadoc-1.1.6-0.1mdvmes5.2.x86_64.rpm 
 dbd321e17ccb40cb40db343044b7e859  mes5/SRPMS/icedtea-web-1.1.6-0.1mdvmes5.2.src.rpm

2011 x86_64

 01df6b63bb74556737c17550bf4b8302  2011/x86_64/icedtea-web-1.1.6-0.1-mdv2011.0.x86_64.rpm
 0c8917df0db43222551082bcc66e1665  2011/x86_64/icedtea-web-javadoc-1.1.6-0.1-mdv2011.0.noarch.rpm 
 b687b00289491c8e6eb6ff242305d178  2011/SRPMS/icedtea-web-1.1.6-0.1.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3423
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3422