Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Sep 2012 05:18:14 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com, Florian Weimer <fweimer@...hat.com>,
        Oracle Security Team <secalert_us@...cle.com>
Subject: CVE Request (minor) -- JVM: heap memory disclosure (possibly
 various JDKs)

Hello Kurt, Steve, vendors,

  an information disclosure flaw was found in the way certain
Java Virtual Machines (JVM) used to initialize integer arrays
(they have had nonzero elements right after the allocation in
certain circumstances). An attacker could use this flaw to
obtain potentially sensitive information.

References (including the reproducer, workaround and further details):
[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857
[2] https://bugzilla.redhat.com/show_bug.cgi?id=856124

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.:  Issue brought to us by Florian Weimer, Red Hat Product Security Team
       (for case someone is tracking the initial reporter)

P.S#2: Oracle Security Team Cc-ed on this request too (to clarify
       if CVE id has been assigned to this already or not).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.