JAR files
Aug 04, 2009
I. BACKGROUND
Pack200 is a compression method introduced by Sun in the 1.5 release of
the JRE. It is used to compress JAR files, and is optimized for the
compression of Java class files. A Java applet can be compressed using
the pack200 tool, and if the browser plug-in supports the pack200-gzip
encoding it will pass the compressed JAR file to the JRE for unpacking.
For more information, see the vendor's site at the following links.
Mar 25, 2009
I. BACKGROUND
Pack200 is a compression method introduced by Sun in the 1.5 release of
the JRE. It is used to compress JAR files, and is optimized for the
compression of Java class files. A Java applet can be compressed using
the pack200 tool, and if the browser plugin supports the pack200-gzip
encoding it will pass the compressed JAR file to the JRE for unpacking.
For more information, see the vendor's site at the following links.
Dec 02, 2008
I. BACKGROUND
Pack200 is a compression method introduced by Sun in the 1.5 release of
the JRE. It is used to compress Jar files, and is optimized for the
compression of Java class files. A Java applet can be compressed using
the pack200 tool, and if the browser plugin supports the pack200-gzip
encoding it will pass the compressed Jar file to the JRE for unpacking.
For more information, see the vendor's site at the following links.
but does not require a minimum for its length, which allows attackers
to spoof HMAC-based signatures and bypass authentication by specifying
a truncation length with a small number of bits (CVE-2009-0217).
The Java Web Start framework does not properly check all application
jar files trust and this allows context-dependent attackers to
execute arbitrary code via a crafted application, related to NetX
(CVE-2009-1896).
Some variables and data structures without the final
keyword definition allows context-depend attackers to
Several problems were discovered in the JavaScript engine. If a
user were tricked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-2800)
Collin Jackson discovered various flaws in the JavaScript engine
which allowed JavaScript to be injected into signed JAR files. If
a user were tricked into opening malicious web content, an
attacker may be able to execute arbitrary code with the privileges
of a different website or link content within the JAR file to an
attacker-controlled JavaScript file. (CVE-2008-2801)
attacker could execute JavaScript in the context of a different website.
(CVE-2008-5022)
Collin Jackson discovered various flaws in Firefox when processing
stylesheets which allowed JavaScript to be injected into signed JAR
files. If a user were tricked into opening malicious web content, an
attacker could execute arbitrary code with the privileges of the
signed JAR or of a different website. (CVE-2008-5023)
Chris Evans discovered that Firefox did not properly parse E4X
documents, leading to quote characters in the namespace not being
vulnerable installations of the Sun Java Runtime. User interaction is
required in that a target must visit a malicious web page or open a
malicious JNLP file.
The specific flaw exists within the code responsible for handling
Pack200 compressed JAR files. During decompression, several fields
within a Pack200 header are trusted and used to calculate sizes for heap
buffer allocations. By providing malicious values an attacker can create
undersized heap buffers and subsequently overflow them. This can be
leveraged to execute arbitrary code under the context of the user
accessing the file or web page.
the execution of arbitrary code with the privileges of the user running
the application. Furthermore, a remote attacker could cause a Denial of
Service affecting multiple services via several vectors, disclose
information and memory contents, write or execute local files, conduct
session hijacking attacks via GIFAR files, steal cookies, bypass the
same-origin policy, load untrusted JAR files, establish network
connections to arbitrary hosts and posts via several vectors, modify
the list of supported graphics configurations, bypass HMAC-based
authentication systems, escalate privileges via several vectors and
cause applet code to be executed with older, possibly vulnerable
versions of the JRE.
applications or applets to make all the necessary changes.
Details follow:
It was discovered that IcedTea for Java did not properly verify
signatures when handling multiply signed or partially signed JAR files,
allowing an attacker to cause code to execute that appeared to come
from a verified source. (CVE-2011-0025)
USN 1052-1 fixed a vulnerability in OpenJDK for Ubuntu 9.10 and Ubuntu
10.04 LTS on all architectures, and Ubuntu 10.10 for all architectures
a Java application could crash, leading to a denial of service.
(CVE-2010-0092, CVE-2010-0093, CVE-2010-0095, CVE-2010-0845)
It was discovered that Pack200, CMM readMabCurveData, ImagingLib, and
the AWT library did not correctly check buffer lengths. If a user or
automated system were tricked into handling specially crafted JAR files or
images, a remote attacker could crash the Java application or possibly
gain user privileges (CVE-2010-0837, CVE-2010-0838, CVE-2010-0847,
CVE-2010-0848).
It was discovered that applets did not correctly handle certain trust
CVE-2011-3553
JAX-WS enables stack traces for certain server responses by
default, potentially leaking sensitive information.
CVE-2011-3554
JAR files in pack200 format are not properly checked for
errors, potentially leading to arbitrary code execution when
unpacking crafted pack200 files.
CVE-2011-3556
The RMI Registry server lacks access restrictions on certain
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team SHATTER Security Advisory
Multiple DoS in JAR files manipulation procedures
April 17th 2008
Risk Level:
High
CVE-2010-4472
Untrusted code can replace the XML DSIG implementation.
CVE-2011-0025
Signatures on JAR files are not properly verified, which allows
remote attackers to trick users into executing code that appears
to come from a trusted source.
CVE-2011-0706
The JNLPClassLoader class allows remote attackers to gain
CVE-2011-3553
JAX-WS enables stack traces for certain server responses by
default, potentially leaking sensitive information.
CVE-2011-3554
JAR files in pack200 format are not properly checked for
errors, potentially leading to arbitrary code execution when
unpacking crafted pack200 files.
CVE-2011-3556
The RMI Registry server lacks access restrictions on certain
loop of estimations during conversion to a double-precision binary
floating-point number, as demonstrated using 2.2250738585072012e-308
(CVE-2010-4476).
IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5
does not properly verify signatures for JAR files that (1) are
partially signed or (2) signed by multiple entities, which allows
remote attackers to trick users into executing code that appears to
come from a trusted source (CVE-2011-0025).
The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in
|
