BID:22085

Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability

Info

Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability

Bugtraq ID:	22085
Class:	Boundary Condition Error
CVE:	CVE-2007-0243
Remote:	Yes
Local:	No
Published:	Jan 16 2007 12:00AM
Updated:	Jul 02 2008 07:00PM
Credit:	An anonymous researcher working with the Zero Day Initiative and TippingPoint is credited with discovering this issue.
Vulnerable:	Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE Suse Linux Enterprise Desktop 10 SP1 SuSE Linux Openexchange Server SuSE Linux Enterprise Server 9 SuSE Linux Desktop 1.0 SuSE Linux 10.1 x86-64 SuSE Linux 10.1 x86 SuSE Linux 10.1 ppc SuSE Linux 10.0 x86-64 SuSE Linux 10.0 x86 SuSE Linux 10.0 ppc Sun SDK (Linux Production Release) 1.5 _07 Sun SDK (Linux Production Release) 1.5 _03 Sun SDK (Linux Production Release) 1.5 _02 Sun SDK (Linux Production Release) 1.5 _01 Sun SDK (Linux Production Release) 1.5 Sun SDK (Linux Production Release) 1.4.2 _07 Sun SDK (Linux Production Release) 1.4.2 _06 Sun JRE (Linux Production Release) 1.5 _05 Sun JRE (Linux Production Release) 1.5 _04 Sun JRE (Linux Production Release) 1.5 _03 Sun JRE (Linux Production Release) 1.5 _02 Sun JRE (Linux Production Release) 1.5 _01 Sun JRE (Linux Production Release) 1.4.2 _09 Sun JRE (Linux Production Release) 1.4.2 _08 Sun JRE (Linux Production Release) 1.4.2 _07 Sun JRE (Linux Production Release) 1.3.1 _18 Sun JRE (Linux Production Release) 1.3.1 _17 Sun JRE (Linux Production Release) 1.3.1 _16 Sun JRE (Linux Production Release) 1.3.1 _15 Sun JRE (Linux Production Release) 1.3.1 _04 Sun JRE (Linux Production Release) 1.3.1 _01a Sun Java 2 Standard Edition SDK 1.4.2 _08 Sun Java 2 Standard Edition SDK 1.4.2 _05 Sun Java 2 Standard Edition SDK 1.4.2 _04 Sun Java 2 Standard Edition SDK 1.4.2 _03 Sun Java 2 Standard Edition SDK 1.4.2 _02 Sun Java 2 Standard Edition SDK 1.4.2 _01 Sun Java 2 Runtime Environment 1.5 _06 Sun Java 2 Runtime Environment 1.4.2 _11 Sun Java 2 Runtime Environment 1.4.2 _10 Sun Java 2 Runtime Environment 1.4.2 _06 Sun Java 2 Runtime Environment 1.4.2 _05 Sun Java 2 Runtime Environment 1.4.2 _04 Sun Java 2 Runtime Environment 1.4.2 _03 + Oracle Oracle10g Application Server 10.1 .0.2 + Oracle Oracle10g Application Server 10.1 .0.2 + Oracle Oracle10g Application Server 10.1 .0.2 + Oracle Oracle10g Enterprise Edition 10.1 .0.2 + Oracle Oracle10g Enterprise Edition 10.1 .0.2 + Oracle Oracle10g Enterprise Edition 10.1 .0.2 + Oracle Oracle10g Personal Edition 10.1 .0.2 + Oracle Oracle10g Personal Edition 10.1 .0.2 + Oracle Oracle10g Personal Edition 10.1 .0.2 + Oracle Oracle10g Standard Edition 10.1 .0.2 Sun Java 2 Runtime Environment 1.4.2 _02 Sun Java 2 Runtime Environment 1.4.2 _01 Sun Java 2 Runtime Environment 1.3.1 _08 Sun Java 2 Runtime Environment 1.3.1 _01 Sun Java 2 Runtime Environment 5.0.Update 9 Sun Java 2 Runtime Environment 5.0 Update 8 Sun Java 2 Runtime Environment 5.0 Update 7 Sun Java 2 Runtime Environment 5.0 Update 6 Sun Java 2 Runtime Environment 5.0 Update 5 Sun Java 2 Runtime Environment 5.0 Update 4 Sun Java 2 Runtime Environment 5.0 Update 3 Sun Java 2 Runtime Environment 5.0 Update 2 Sun Java 2 Runtime Environment 5.0 Update 1 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 9.1 Slackware Linux 9.0 Slackware Linux 8.1 Slackware Linux 12.0 Slackware Linux 11.0 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9 Redhat Red Hat Network Satellite Server 5.0 Redhat Network Satellite (for RHEL 4) 4.2 Redhat Network Satellite (for RHEL 3) 4.2 Redhat Enterprise Linux Supplementary 5 server Redhat Enterprise Linux Extras 4 Redhat Enterprise Linux Extras 3 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux BEA Systems JRockit 8.1 BEA Systems JRockit 8.0 BEA Systems JRockit 7.0 BEA Systems JRockit 3.1.5 BEA Systems JRockit 3.1.4 .1 BEA Systems JRockit 3.1.4 BEA Systems JRockit 3.1.3 BEA Systems JRockit 3.1.2 BEA Systems JRockit 3.1.1 BEA Systems JRockit 1.4.2 BEA Systems JRockit 1.4.2 R4.5 Avaya Predictive Dialer (PDS) APC 3.0 Avaya Interactive Response 1.3 Avaya Interactive Response 2.0 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.10 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.10

Not Vulnerable:	Sun SDK (Linux Production Release) 1.3.1 _19 Sun JRE (Linux Production Release) 1.3.1 _19 Sun Java 2 Standard Edition SDK 1.4.2 _13 Sun Java 2 Runtime Environment 1.4.2 _13 Sun Java 2 Runtime Environment 5.0.Update 10 BEA Systems JRockit 1.4.2 07 BEA Systems JRockit 1.3.1 20 BEA Systems JRockit 1.5.0_04

Discussion

Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability

The Java Runtime Environment is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

An attacker may exploit this issue by enticing a victim into opening a maliciously crafted Java applet.

The attacker can exploit these issues to execute arbitrary code with the privileges of the victim. Failed exploit attempts will likely result in denial-of-service conditions.

This issue is being tracked by BugID: 6445518

Exploit / POC

Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability

Symantec has received reports of this issue being exploited in the wild.

The following exploit is available:

/data/vulnerabilities/exploits/JvmGifVulPoc.java

Solution / Fix

Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability

Solution:
Sun Microsystems has released an advisory and updates to address these issues.

Please see the references for more information.

Reportedly, when the Java console 'info level' is set to level 5, the vulnerability may still be exposed after patching this issue. Symantec has not confirmed or tested this configuration setting.

Slackware Linux 12.0

Slackware JDK: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/extra/jdk-6/jdk-6 u2-i586-1.tgz

Slackware JRE: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ jre-6u2-i586-1.tgz

Sun Java 2 Runtime Environment 5.0 Update 1

Sun 118666-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118666-10-1

Sun 118667-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118667-10-1

Sun 118668-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118668-10-1

Sun 118669-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118669-10-1

Sun Java 2 Runtime Environment 5.0 Update 3

Sun 118666-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118666-10-1

Sun 118667-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118667-10-1

Sun 118668-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118668-10-1

Sun 118669-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118669-10-1

Turbolinux Turbolinux 10 F...

Turbolinux j2sdk-addon-1.5.0_11-1.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/j2sdk-addon-1.5.0_11-1.i586.rpm

Sun Java 2 Runtime Environment 5.0 Update 2

Sun 118666-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118666-10-1

Sun 118667-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118667-10-1

Sun 118668-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118668-10-1

Sun 118669-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118669-10-1

Turbolinux Home

Turbolinux j2sdk-addon-1.5.0_11-1.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/j2sdk-addon-1.5.0_11-1.i586.rpm

Sun Java 2 Runtime Environment 5.0 Update 7

Sun 118666-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118666-10-1

Sun 118667-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118667-10-1

Sun 118668-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118668-10-1

Sun 118669-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118669-10-1

Turbolinux Turbolinux FUJI

Turbolinux j2sdk-addon-1.5.0_11-1.i686.rpm
Turbolinux FUJI
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux jdk-1_5_0_11-linux-i586.rpm
Turbolinux FUJI
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux Turbolinux Server 10.0.0 x64

Turbolinux java-1.5.0-sun-1.5.0.11-1jppTL10.x86_64.rpm
Turbolinux 10 Server x64 Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/java-1.5.0-sun-1.5.0.11-1jppTL10.x86_64.rpm

Turbolinux java-1.5.0-sun-alsa-1.5.0.11-1jppTL10.x86_64.rpm
Turbolinux 10 Server x64 Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/java-1.5.0-sun-alsa-1.5.0.11-1jppTL10.x86_64.rpm

Turbolinux java-1.5.0-sun-demo-1.5.0.11-1jppTL10.x86_64.rpm
Turbolinux 10 Server x64 Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/java-1.5.0-sun-demo-1.5.0.11-1jppTL10.x86_64.rpm

Turbolinux java-1.5.0-sun-devel-1.5.0.11-1jppTL10.x86_64.rpm
Turbolinux 10 Server x64 Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/java-1.5.0-sun-devel-1.5.0.11-1jppTL10.x86_64.rpm

Turbolinux java-1.5.0-sun-jdbc-1.5.0.11-1jppTL10.x86_64.rpm
Turbolinux 10 Server x64 Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/java-1.5.0-sun-jdbc-1.5.0.11-1jppTL10.x86_64.rpm

Turbolinux java-1.5.0-sun-src-1.5.0.11-1jppTL10.x86_64.rpm
Turbolinux 10 Server x64 Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/java-1.5.0-sun-src-1.5.0.11-1jppTL10.x86_64.rpm

BEA Systems JRockit 1.4.2 R4.5

BEA Systems CR310095_CR318640_CR315192_JR-R24.5_1.4.2_08_linux32.tar.gz
ftp://anonymous:dev2dev%[email protected]/pub/releases/security/ CR310095_CR318640_CR315192_JR-R24.5_1.4.2_08_linux32.tar.gz

Sun Java 2 Runtime Environment 5.0 Update 5

Sun 118666-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118666-10-1

Sun 118667-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118667-10-1

Sun 118668-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118668-10-1

Sun 118669-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118669-10-1

Sun Java 2 Runtime Environment 5.0 Update 6

Sun 118666-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118666-10-1

Sun 118667-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118667-10-1

Sun 118668-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118668-10-1

Sun 118669-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118669-10-1

Sun Java 2 Runtime Environment 5.0 Update 8

Sun 118666-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118666-10-1

Sun 118667-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118667-10-1

Sun 118668-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118668-10-1

Sun 118669-10
http://www.sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid: 1-21-118669-10-1

TurboLinux Personal

Turbolinux j2sdk-addon-1.5.0_11-1.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/j2sdk-addon-1.5.0_11-1.i586.rpm

Slackware Linux 10.0

Slackware JDK: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/extra/jdk-6/jdk-6 u2-i586-1.tgz

Slackware JRE: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ jre-6u2-i586-1.tgz

Turbolinux Turbolinux Desktop 10.0

Turbolinux j2sdk-addon-1.5.0_11-1.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/j2sdk-addon-1.5.0_11-1.i586.rpm

Slackware Linux 10.1

Slackware JDK: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/extra/jdk-6/jdk-6 u2-i586-1.tgz

Slackware JRE: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ jre-6u2-i586-1.tgz

Slackware Linux 10.2

Slackware JDK: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/extra/jdk-6/jdk-6 u2-i586-1.tgz

Slackware JRE: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ jre-6u2-i586-1.tgz

Apple Mac OS X 10.4.10

Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg

Apple Mac OS X Server 10.4.10

Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg

Apple Mac OS X 10.4.11

Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg

Apple Mac OS X Server 10.4.11

Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg

Slackware Linux 8.1

Slackware JDK: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/extra/jdk-6/jdk-6 u2-i586-1.tgz

Slackware JRE: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ jre-6u2-i586-1.tgz

Slackware Linux 9.0

Slackware JDK: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/extra/jdk-6/jdk-6 u2-i586-1.tgz

Slackware JRE: Updated packages for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ jre-6u2-i586-1.tgz

References

Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability

References:

CVE Request: python-rsa signature forgery (Filippo Valsorda )
Java 2 Homepage (Sun)
Novell: Security update for IBM Java (Novell)
Novell: Security update for Java (Novell)
RHSA-2007:0956-3 - java-1.5.0-bea security update (RedHat)
Sun Alert ID 102760 Security Vulnerability in Processing GIF Images in the Java (Sun Microsystems)
ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerabili (ZDI)
[security bulletin] HPSBUX02196 SSRT071318 rev.2 - HP-UX Java (JRE and JDK) Remo ([email protected])
ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerabili (ZDI)
ASA-2007-027 - Security Vulnerability in Processing GIF Images in the Java Runti (Avaya)
ASA-2007-119 HP-UX Java (JRE and JDK) Remote Execution of Arbitrary Code (HPSBUX (Avaya)
RHSA-2007:0166-2 - java-1.4.2-ibm security update (RedHat)
RHSA-2008:0261-4 Moderate: Red Hat Network Satellite Server security update (Red Hat)
RHSA-2008:0524-4 Red Hat Network Satellite Server security update (Red Hat)
Technical Cyber Security Alert TA07-022A - Sun Updates for Multiple Vulnerabilit (US-CERT)
Vulnerability Note VU#388289 - Sun Microsystems Java GIF image processing buffer (US-CERT)