![]() |
|
Date: Tue, 11 Sep 2012 11:11:28 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Florian Weimer <fweimer@...hat.com>, Oracle Security Team <secalert_us@...cle.com> Subject: Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/11/2012 03:18 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > an information disclosure flaw was found in the way certain Java > Virtual Machines (JVM) used to initialize integer arrays (they have > had nonzero elements right after the allocation in certain > circumstances). An attacker could use this flaw to obtain > potentially sensitive information. > > References (including the reproducer, workaround and further > details): [1] > http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857 [2] > https://bugzilla.redhat.com/show_bug.cgi?id=856124 > > Could you allocate a CVE id for this? > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team > > P.S.: Issue brought to us by Florian Weimer, Red Hat Product > Security Team (for case someone is tracking the initial reporter) > > P.S#2: Oracle Security Team Cc-ed on this request too (to clarify > if CVE id has been assigned to this already or not). > Please use CVE-2012-4416 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQT3DAAAoJEBYNRVNeJnmT6EoP/iTl5HN/lsfqOi83/7UiYXVA MJyovSVnwWZ0Aqp0Ezw7AJei+VS0koiZAPy54I0ht4idSW2HDOFxH6mAbwAX2i7E pr3SZecVLb+V9OQs09hShV8eik4lQ+YuHVo/Ag3Q29QSBbncHH1WxbwQhcdttoW3 W3Flwp7+z3cLhINHV1nMEufjwwgATBkM92h6/rM9wTZBDpW7yfE5mFWMUgL7fhxd 9B4H4NJqiARKJ4Tuk6I9UOTNtQxG4Gvrb/3nWY6vWVJjU7N7ti4pHUa6pEMnM35T K6SYVQEeBgyLC5qxPQtbvYhjn8iT6NXkdtrDGlYXTeDBTqWJb5Mr6QnM4dbYZFfx y5dFJWyHhxKuvNMQU3Xi5/ht3ta7gGHtWpAPz6LB0l6MXR35Pdiuhf5ZzEWvLCkl jmtCK6WRcmcks6Bkseff/XDpdh7Fd9Pcot2XYOBxs4FkjV+Krqrmkf0DFemaxxO+ QEX1tRJlZY+2iwmlhfAoc3Msnid0yS4pMcDOvWwhwjkxeZ0BIkn8Vjvo+BaZt3uG aQnr8GyveaXaF7xWwMmjUuoyo3WbeOlPo2C+go3MyUZbCLJsuRislJtPF4gDLrcr NvzlKPZuZ5DBNKUD2eRhPMM4r8tBQ0Dn5jcsR8cFsx0D7h8u19lgUsREJP8sqPxF aABJ8sMvexuvy7D0rrm9 =NGRD -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.