Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Sep 2012 06:55:12 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>,
        Oracle Security Team <secalert_us@...cle.com>,
        David Jorm <djorm@...hat.com>
Subject: Re: CVE Request (minor) -- JVM: heap memory
 disclosure (possibly various JDKs)

Hello Steve,

  thank you for the clarification.

> Jan/Kurt,
> 
> The bug report appears to be describing a narrow class of vulnerability 
> that could affect multiple codebases that implement Java Virtual Machines, 
> not just Oracle's;

That's true, my yesterday's request was too wide, because in that moment we were
not sure yet, which concrete JVM implementations would be affected by this
deficiency (and which not).

> if so, then a separate CVE would be needed for each 
> REPORTED codebase, and CVE-2012-4416 is ONLY for bug id 7196857 for the 
> Oracle-supported JVM.

Anyway, upon David's review (Cc-ed too) we can announce that this problem would
affect / is specific only to Oracle Java SE 7 (java-1.7.0-oracle), and
Java SE 7 as provided by OpenJDK 7 (java-1.7.0-openjdk).

So after above suggestion we will use CVE-2012-4416 for Oracle's codebase /
Oracle supported JVM and the OpenJDK one should obtain another CVE identifier.

I will clarify this situation in our bugs too yet.

Kurt, could you allocate another CVE id then for the OpenJDK part of the
story?

> 
> I wonder about the severity of the issue, but given the possibility that 
> applications might access an array before a fill, and applications may 
> depend on there being "empty" elements after initialization, this seems 
> reasonable for a CVE.

Florian clarified on this already (why to assign CVE id for these is appropriate
approach).

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> - Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ