CVE-2012-3423

Published: 31 July 2012

The IcedTea-Web plugin before 1.2.1 does not properly handle NPVariant NPStrings without NUL terminators, which allows remote attackers to cause a denial of service (crash), obtain sensitive information from memory, or execute arbitrary code via a crafted Java applet.

Priority

Status

Package	Release	Status
icedtea-web Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Released (1.2-2ubuntu0.10.04.2)
	natty	Released (1.2-2ubuntu0.11.04.2)
	oneiric	Released (1.2-2ubuntu0.11.10.2)
	precise	Released (1.2-2ubuntu1.1)
	upstream	Released (1.2.1)
	Patches: upstream: http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/d7375e2a9076 upstream: http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/d65bd94e0ba9

References

https://dbhole.wordpress.com/2012/07/31/icedtea-web-1-1-6-and-1-2-1-security-releases-released/
https://ubuntu.com/security/notices/USN-1521-1
https://www.cve.org/CVERecord?id=CVE-2012-3423
NVD
Launchpad
Debian

Bugs

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=518
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=863

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›