PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2012-01 * Released on: 16th February 2012 * Affected products: Oracle Java SE 7 below Update 3 Oracle Java SE 6 below Update 31 IcedTea6 1.8.x below 1.8.13 IcedTea6 1.9.x below 1.9.13 IcedTea6 1.10.x below 1.10.6 IcedTea6 1.11.x below 1.11.1 IcedTea 2.x below 2.0.1 Older versions may also be affected. * Impact: denial-of-service * Origin: java.util.zip * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-0501 Summary ------- The function countCENHeaders() in zip_util.c of the java.util.zip implementation contains an off-by-one bug. The bug can be exploited via corrupted ZIP files to cause an endless recursion. The endless recursion results in a segmentation fault of the JVM. The following assessment is based on the JDK sources available from Oracle's website (jdk-6u23-fcs-src-b05-jrl-12_nov_2010.jar). readCEN() in zip_util.c is used by java.util.zip to read the central directory of ZIP files. It reads the total number of entries from the ZIP file via the ENDTOT field: (543) total = (knownTotal != -1) ? knownTotal : ENDTOT(endbuf); A corrupted ZIP file may have set the total number of entries to 0. Alternatively, knownTotal may have been passed as a parameter with value 0. readCEN() iterates over all directory entries (552) for (i = 0, cp = cenbuf; cp <= cenend - CENHDR; i++, cp += CENSIZE(cp)) { and recognizes an incorrect total field (557) if (i >= total) { In this case, readCEN() counts the total number of fields via countCENHeaders() before calling itself recursively (561) cenpos = readCEN(zip, countCENHeaders(cenbuf, cenend)); However, countCENHeaders() has an off-by-one bug. It fails to count an entry that is precisely CENHDR bytes long (431) for (i = 0; i + CENHDR < end - beg; i += CENSIZE(beg + i)) and returns 0 in this case. Hence, readCEN() is called recursively with knownTotal = 0 resulting in an endless recursion. Solution -------- The issue was fixed in the following versions: Oracle Java SE 7 Update 3 Oracle Java SE 6 Update 31 IcedTea6 1.8.13 IcedTea6 1.9.13 IcedTea6 1.10.6 IcedTea6 1.11.1 IcedTea 2.0.1 IcedTea 2.1 References ---------- http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html http://blog.fuseyism.com/index.php/2012/02/15/security-icedtea6-1-8-13-1-9-13-1-10-6-and-icedtea-2-0-1-released/ http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-February/017233.html http://blog.fuseyism.com/index.php/2012/02/15/icedtea-2-1-released-openjdk7-u3-release/ When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-01.txt Contact -------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/.