lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Mar 2008 18:04:32 -0800 From: "Chris Evans" <scarybeasts@...il.com> To: bugtraq@...urityfocus.com Subject: Sun JDK image parsing vulnerabilities Hi, A couple more JPEG ICC parsing bugs were fixed in the latest JDK updates. Full technical details: http://scary.beasts.org/security/CESA-2007-005.html The most interesting part is the faulty code: Limit = SpGetUInt32 (Buf); ... UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit * (KpInt32_t)sizeof (*UInt16Ptr)); ... for (Index = 0; Index < Limit; Index++) *UInt16Ptr++ = SpGetUInt16 (Buf); ... And the image to trigger: http://scary.beasts.org/misc/jdk/evilicc2.jpg Normally, the heap overflow would just terminate the process as the copy length is kind of wild. However, JDK installs a SEGV handler which accesses a lot of (potentially trashed) memory in the process of putting together a meaningful crash dump. It's quite likely that this makes the condition exploitable as per a previous bug in this area: http://scary.beasts.org/security/CESA-2006-004.html Blog post for all of the above: http://scarybeastsecurity.blogspot.com/2008/03/sun-jdk-image-parsing-vulnerabilities.html Cheers Chris
Powered by blists - more mailing lists