CVE-2013-5907: Input Validation
First published: Tue Jan 14 2014(Updated: )
An insufficient input validation check flaw was found in the ICU Layout Engine's LookupProcessor, which is part of OpenJDK 2D component. A specially crafted font file could cause Java application to crash or execute arbitrary code. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. This fix improves checks added in the fix for <a href="https://access.redhat.com/security/cve/CVE-2012-1713">CVE-2012-1713</a> (<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2012-1713 OpenJDK: fontmanager layout lookup code memory corruption (2D, 7143617)" href="show_bug.cgi?id=829361">bug 829361</a>).
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.5.0-update55 | |
| Oracle JRE | =1.5.0-update55 | |
| Oracle JDK | =1.7.0-update45 | |
| Oracle JRE | =1.7.0-update45 | |
| Oracle JRockit | =r27.7.7 | |
| Oracle JRockit | =r28.2.9 | |
| Oracle JDK | =1.6.0-update65 | |
| Oracle JRE | =1.6.0-update65 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/9d29c19f1de1
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html
- http://marc.info/?l=bugtraq&m=139402697611681&w=2
- http://marc.info/?l=bugtraq&m=139402749111889&w=2
- http://osvdb.org/101995
- http://rhn.redhat.com/errata/RHSA-2014-0026.html
- http://rhn.redhat.com/errata/RHSA-2014-0027.html
- http://rhn.redhat.com/errata/RHSA-2014-0030.html
- http://rhn.redhat.com/errata/RHSA-2014-0097.html
- http://rhn.redhat.com/errata/RHSA-2014-0134.html
- http://rhn.redhat.com/errata/RHSA-2014-0135.html
- http://rhn.redhat.com/errata/RHSA-2014-0136.html
- http://secunia.com/advisories/56432
- http://secunia.com/advisories/56485
- http://secunia.com/advisories/56486
- http://secunia.com/advisories/56487
- http://secunia.com/advisories/56535
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.securityfocus.com/bid/64758
- http://www.securityfocus.com/bid/64894
- http://www.securitytracker.com/id/1029608
- http://www.ubuntu.com/usn/USN-2089-1
- http://www.ubuntu.com/usn/USN-2124-1
- https://access.redhat.com/errata/RHSA-2014:0414
- https://bugzilla.redhat.com/show_bug.cgi?id=1052915
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777
- https://access.redhat.com/security/cve/CVE-2012-1713
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=829361
- https://rhn.redhat.com/errata/RHSA-2014-0027.html
- https://rhn.redhat.com/errata/RHSA-2014-0026.html
- https://rhn.redhat.com/errata/RHSA-2014-0030.html
- https://rhn.redhat.com/errata/RHSA-2014-0097.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025800.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025947.html
- http://mail.openjdk.java.net/pipermail/jdk6-dev/2014-January/003212.html
- https://rhn.redhat.com/errata/RHSA-2014-0136.html
- https://rhn.redhat.com/errata/RHSA-2014-0135.html
- https://rhn.redhat.com/errata/RHSA-2014-0134.html
- http://bugs.icu-project.org/trac/ticket/10684
- https://rhn.redhat.com/errata/RHSA-2014-0414.html
- https://rhn.redhat.com/errata/RHSA-2014-0705.html
- https://rhn.redhat.com/errata/RHSA-2014-0982.html
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-5907
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.5.0-update55
- canonical/oracle jre
- version/oracle jre/1.5.0-update55
- version/oracle jdk/1.7.0-update45
- version/oracle jre/1.7.0-update45
- canonical/oracle jrockit
- version/oracle jrockit/r27.7.7
- version/oracle jrockit/r28.2.9
- version/oracle jdk/1.6.0-update65
- version/oracle jre/1.6.0-update65
- package-manager/redhat