Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 04:55 AM, Jan Lieskovsky wrote:
> Hello Steve,
>
> thank you for the clarification.
>
> > Jan/Kurt,
> >
> > The bug report appears to be describing a narrow class of
> > vulnerability that could affect multiple codebases that implement
> > Java Virtual Machines, not just Oracle's;
>
> That's true, my yesterday's request was too wide, because in that
> moment we were not sure yet, which concrete JVM implementations
> would be affected by this deficiency (and which not).
>
> > if so, then a separate CVE would be needed for each REPORTED
> > codebase, and CVE-2012-4416 is ONLY for bug id 7196857 for the 
> > Oracle-supported JVM.
>
> Anyway, upon David's review (Cc-ed too) we can announce that this
> problem would affect / is specific only to Oracle Java SE 7
> (java-1.7.0-oracle), and Java SE 7 as provided by OpenJDK 7
> (java-1.7.0-openjdk).
>
> So after above suggestion we will use CVE-2012-4416 for Oracle's
> codebase / Oracle supported JVM and the OpenJDK one should obtain
> another CVE identifier.
>
> I will clarify this situation in our bugs too yet.
>
> Kurt, could you allocate another CVE id then for the OpenJDK part
> of the story?
>
> > I wonder about the severity of the issue, but given the
> > possibility that applications might access an array before a
> > fill, and applications may depend on there being "empty" elements
> > after initialization, this seems reasonable for a CVE.
>
> Florian clarified on this already (why to assign CVE id for these
> is appropriate approach).
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
>
> > - Steve

Please use CVE-2012-4420 for this issue in OpenJDK

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUWWiAAoJEBYNRVNeJnmTsA0P/1WpRpGkrl0DUEI5Lve08CjB
9Vi1U1RLNZBiuoh6he8qeGLY7lgZzbXwZdCBfxUc0IbFH2Vxr4JcIYfprXtg8c5O
H4lUqgdXR09kWof9bR+DWqWKGcPp3UGSp1GzljPh3OrfdOj1DE7vErphG6SQaa16
mVGlrmhU8DnUNbMRbswwbzFj7BrG3i3uWyO3t6IpUQvvtUB+tao82U/tg3TVN5it
gYT6f6CTUsNQMSlk2Fu8rPr8zqA8Ik9D4lnOksA1KGhzyHshogRqybq/buWo3lfq
rgLnyrCMOE/KwoXd8FXKaV9WjItrpys/IEFNLIAT+DN6SyZbKZh602n6WaJY9g6g
DtIhrpjjNX7OX9zXiYsVC6oWTWakJmvhtFZifnY/rxUncyFPRkhcBiQ9EcHOHAoB
+m7CSXefjQlr9qeN44G1EBr8mWs+nm9ZteGpztlsfw15SWZLYWnTjTvf1qLt3ZQh
uiPX1cs2ONgs0jfYyvK7l3IQcaLNTysh8qWgQsJnXTLmHMAKpiPkI9c+zF8T9HLP
sXvGX7u5ArltSoig45ldhKUvHWBEfA+yKjh302my+bsnGi5jjTUp/Tlu62kOHUIY
Xo0M1HetEKy9My4NoDAZpHSztTvCih8bNbeTCKTqOljJ94LarsMJ7Jswo2G00eBs
O3ukJIMQ0S5+5GIS/eWN
=9fyV
-----END PGP SIGNATURE-----