Novell Home

CVE-2012-4540

Common Vulnerabilities and Exposures

[Previous] [Index] [Next]

Upstream information

CVE-2012-4540 at MITRE

Description

Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.x before 1.4.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a "triggering event attached to applet." NOTE: the 1.4.x versions were originally associated with CVE-2013-4349, but that entry has been MERGED with this one.

NVD CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Novell/SUSE information

Novell Bugzilla entry: 787846, 840572

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SLE 11 SP2 DEBUGINFO
  • icedtea-web-debuginfo >= 1.4.1-0.8.1
  • icedtea-web-debugsource >= 1.4.1-0.8.1
Builds
SAT Patch Nr: 8357
SUSE Linux Enterprise Desktop 11 SP2
  • icedtea-web >= 1.4.1-0.8.1
Builds
SAT Patch Nr: 8357
SLE 11 SP3 DEBUGINFO
  • icedtea-web-debuginfo >= 1.4.1-0.11.1
  • icedtea-web-debugsource >= 1.4.1-0.11.1
Builds
SAT Patch Nr: 8358
SUSE Linux Enterprise Desktop 11 SP3
  • icedtea-web >= 1.4.1-0.11.1
Builds
SAT Patch Nr: 8358
SLE 11 SP2 DEBUGINFO
  • icedtea-web-debuginfo >= 1.3.1-0.5.1
  • icedtea-web-debugsource >= 1.3.1-0.5.1
sled11-sp2.x86-64
sled11-sp2.x86
SAT Patch Nr: 7041
SUSE Linux Enterprise Desktop 11 SP2
  • icedtea-web >= 1.3.1-0.5.1
sled11-sp2.x86-64
sled11-sp2.x86
SAT Patch Nr: 7041

© 2014 Novell