The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Java JRE, JDK, SDK: privilege elevation via a font

Synthesis of the vulnerability 

A malicious Java applet can generate an error when a font is parsed in order to execute code.
Impacted software: WebSphere AS Traditional, NLD, OES, Java Oracle, RHEL, SLES.
Severity of this computer vulnerability: 3/4.
Creation date: 16/08/2007.
Revision date: 30/10/2007.
Références of this announce: 102934, 103024, 6376296, 6483556, 6483560, BID-25340, CVE-2007-4381, NGS00419, PK64999, PK65161, RHSA-2007:0956-01, RHSA-2007:1086-01, RHSA-2008:0100-01, RHSA-2008:0132-01, SUSE-SA:2008:025, VIGILANCE-VUL-7102.

Description of the vulnerability 

A TrueType font file contains instructions to convert a character to a bitmap image ("hinting language"). This micro-language supports following items: loops, conditional branches (if), variables, functions, instructions on points, etc.

The CVT table (Control Value Table) contains global variables about appearance of the character: generic horizontal width, generic horizontal height, mean round, etc. The WCVTP (opcode 0x44) and WCVTF (opcode 0x70) instructions change value of a CV, and RCVT (opcode 0x45) reads a CV:
 - WCVTP value, location
 - RCVT location

However, the TrueType language implementation in JRE/JDK/SDK does not check value of "location" parameter. An attacker can thus read/write to/from an arbitrary memory location.

This vulnerability therefore permits an applet to elevate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security alert impacts software or systems such as WebSphere AS Traditional, NLD, OES, Java Oracle, RHEL, SLES.

Our Vigil@nce team determined that the severity of this security weakness is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this security announce.

Solutions for this threat 

Java JRE/JDK: version 5.0 Update 10.
Version 5.0 Update 10 is corrected:
  http://java.sun.com/javase/downloads/index_jdk5.jsp

SDK, JRE: version 1.4.2_15.
Version 1.4.2_15 is corrected:
  http://java.sun.com/j2se/1.4.2/download.html

WebSphere AS: APAR for Java Plug-in.
An APAR is available:
  http://www-1.ibm.com/support/docview.wss?uid=swg1PK65161

RHEL 3E, 4E, 5S: new java-1.4.2-bea packages.
New packages are available:
Red Hat Enterprise Linux version 3 : java-1.4.2-bea-1.4.2.16-1jpp.1.el3
Red Hat Enterprise Linux version 4 : java-1.4.2-bea-1.4.2.16-1jpp.1.el4
Red Hat Enterprise Linux version 5 : java-1.4.2-bea-1.4.2.16-1jpp.1.el5

RHEL 3E, 4E, 5S: new java-1.4.2-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 3 Extras: java-1.4.2-ibm-1.4.2.10-1jpp.2.el3
Red Hat Enterprise Linux version 4 Extras: java-1.4.2-ibm-1.4.2.10-1jpp.2.el4
Red Hat Enterprise Linux version 5 Supplementary : java-1.4.2-ibm-1.4.2.10-1jpp.2.el5

RHEL 4 Extras: new java-1.4.2-bea packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras: java-1.4.2-bea-1.4.2.15-1jpp.2.el4

RHEL: new java-1.5.0-bea packages.
New packages are available:
Red Hat Enterprise Linux version 4: java-1.5.0-bea-1.5.0.11-1jpp.2.el4
Red Hat Enterprise Linux version 5: java-1.5.0-bea-1.5.0.11-1jpp.1.el5

SUSE: new IBM Java packages.
New packages are available:
   SUSE Linux Enterprise Desktop 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
   SUSE Linux Enterprise Server 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   SLE SDK 10 SP1
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   Open Enterprise Server
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   Novell Linux POS 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   SUSE SLES 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability workaround. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.