CVE-2013-1493

Published: 04 March 2013

The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013.

Priority

High

Status

Package Release Status
openjdk-6
Launchpad, Ubuntu, Debian
Upstream Pending
(6b27-1.12.4)
Patches:
Upstream: http://icedtea.classpath.org/hg/release/icedtea6-1.12/rev/abc301613e43 (8007675.patch)
openjdk-6b18
Launchpad, Ubuntu, Debian
Upstream Needs triage

openjdk-7
Launchpad, Ubuntu, Debian
Upstream Pending
(7u15-2.3.8)

Notes

AuthorNote
mdeslaur
in lucid+, NetX and the plugin moved to the icedtea-web package
jdstrand
sun-java6 is not redistributable, no longer in the archive and
no longer tracked
sun-java5 is EOL upstream and no longer tracked
as of 2013-03-05, no patches for openjdk-7

References