Sun Java Development Kit (JDK) ICC profile integer overflow (ICC_Profile_Generic_Tag_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Network Protection, IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Host Protection for Servers (Windows), Proventia Network MFS, RealSecure Server Sensor:

This signature detects a specially crafted ICC (International Color Consortium) profile with an excessively large tag designed to overflow vulnerable ICC decoders.

Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, Virtual Server Protection for Vmware: XPU 32.020, Proventia Server IPS for Linux technology: 32.020, Proventia Network IPS: XPU 32.020, IBM Security Network Protection: 5.1, IBM Security Host Protection for Desktops: 2730, Proventia Network IDS: XPU 32.020, Proventia-G 1.1 and earlier: XPU 32.020, IBM Security Host Protection for Servers (Windows):, Proventia Network MFS: XPU 32.020, RealSecure Server Sensor: XPU 32.020

Systems affected

Sun SDK: 1.4.2_09, Sun SDK: 1.4.2_10, Sun JRE: 1.5.0 Update4, Sun JRE: 1.5.0 Update5, Sun JRE: 1.5.0 Update2, Sun JRE: 1.4.2 Update7, Sun JRE: 1.5.0 Update1, Sun JRE: 1.4.2 Update9, Sun JRE: 1.4.2 Update8, Sun JRE: 1.5.0 Update6, Sun SDK: 1.3.0, Sun SDK: 1.3.1_01, Sun SDK: 1.3.1_19, Sun SDK: 1.3.1_20, Sun SDK: 1.4.2_03, Sun SDK: 1.3.1_16, Sun SDK: 1.3.1_18, Sun SDK: 1.3.1_01a, Sun SDK: 1.4.2_08, Novell OpenSUSE: 10.2, Sun JRE: 1.3.1 Update17, Sun JRE: 1.3.1 Update6, Sun JRE: 1.3.1 Update5, Sun JRE: 1.3.1 Update3, Sun JRE: 1.3.1 Update7, Sun JRE: 1.3.1 Update10, Sun JRE: 1.3.1 Update9, Sun JRE: 1.3.1 Update11, Sun JRE: 1.3.1 Update12, Sun SDK: 1.3.0_05, Sun SDK: 1.3.0_02, Sun SDK: 1.3.1_03, Sun JRE: 1.3.1 Update14, Sun JRE: 1.3.1 Update13, Sun SDK: 1.4.2_05, Sun SDK: 1.4.2_07, Sun SDK: 1.4.2_06, Sun SDK: 1.4.2_01, Sun SDK: 1.3.1_02, Sun SDK: 1.3.1_04, Sun SDK: 1.3.1_05, Sun SDK: 1.3.1_08, Sun SDK: 1.3.1_07, Sun SDK: 1.3.1_06, Sun SDK: 1.3.1_09, Sun SDK: 1.3.1_11, Sun SDK: 1.3.1_10, Sun JRE: 1.3.1 Update2, Sun SDK: 1.3.1_17, Sun SDK: 1.3.1_15, Sun SDK: 1.3.1_12, Sun SDK: 1.3.1_14, Sun SDK: 1.3.1_13, Sun SDK: 1.4.2_04, Sun SDK: 1.4.2_02, Sun JDK: 1.5.0 Update6, Sun JDK: 1.5.0 Update5, Sun JDK: 1.5.0 Update3, Sun JDK: 1.5.0 Update4, Sun JDK: 1.5.0 Update2, Sun JDK: 1.5.0, Sun JDK: 1.5.0 Update1, Sun JDK: 1.5.0 Update9, Sun JDK: 1.5.0 Update7 B03, Sun JDK: 1.5.0 Update8, Sun JDK: 1.5.0 Update7, Sun JRE: 1.3.1 Update19, Sun JRE: 1.3.1 Update1a, Sun JRE: 1.3.1 Update18, Sun JRE: 1.3.1 Update16, Sun JRE: 1.3.1 Update15, Sun JRE: 1.3.1 Update1, Sun JRE: 1.4.2 Update12, Sun JRE: 1.4.2 Update11, Sun JRE: 1.4.2 Update13, Sun JRE: 1.4.2 Update14, Sun JRE: 1.4.2 Update1, Sun JRE: 1.3.1 Update8, Sun JRE: 1.3.1 Update20, Sun JRE: 1.3.1 Update4, Sun JRE: 1.4.2 Update10, Sun JRE: 1.4.2 Update2, Sun JRE: 1.4.2 Update3, Sun JRE: 1.4.2 Update6, Sun JRE: 1.4.2 Update4, Sun JRE: 1.4.2 Update5, Novell Open Enterprise Server, RedHat Network Satellite Server: 4.2, RedHat RHEL Extras: 4.6.z, Sun JRE: 1.6.0, Sun JDK: 1.6.0, Sun SDK: 1.4.2_12, Novell SUSE Linux Enterprise Server: 10 SP1, Novell SUSE Linux Enterprise Desktop: 10 SP1, Novell SLE SDK: 10 SP1, Sun JRE: 1.5.0 Update7, Sun JDK: 1.5.0 Update10, Sun JRE: 1.5.0 Update9, Sun JRE: 1.5.0 Update8, Sun JRE: 1.5.0 Update10, Sun SDK: 1.4.2_11, Sun SDK: 1.4.2_13, Sun SDK: 1.4.2_14, RedHat Network Satellite Server: 5.0, RedHat RHEL Desktop Supplementary: 5 Client, RedHat RHEL Supplementary: 5 Server, RedHat RHEL Supplementary: 5.1.z EUS, RedHat RHEL Extras: 3, RedHat RHEL Extras: 4, SUSE SuSE Linux: 10.0, Sun JRE: 1.5.0 Update3, Novell SUSE Linux Enterprise Server: 10, Novell SLE SDK: 10, SuSE Linux Enterprise Server: 9, Novell Linux POS: 9, SuSE SuSE Linux Retail Solution: 8, Novell Linux Desktop: 9, Novell Open Enterprise: Server, Sun SDK: 1.4.2, Sun JRE: 1.5.0, Sun JRE: 1.4.2, SuSE SuSE SLES: 9, Gentoo Linux, Novell UnitedLinux: 1.0, SuSE SuSE Linux OpenExchange Server: 4, SuSE Linux Enterprise Server: 8, SuSE SuSE Linux School Server, SuSE SuSE Linux Standard Server: 8, SUSE SuSE Linux: 9.0, Sun JRE: 1.3.1


Unauthorized Access Attempt

Vulnerability description

Sun Java Development Kit (JDK) is vulnerable to an integer overflow, caused by improper bounds checking by the embedded ICC profile image parser. By creating a specially-crafted JPEG or Bitmap image, a remote attacker could execute arbitrary code on the system if the attacker could persuade the victim to view the malicious image.

How to remove this vulnerability

Upgrade to the latest version of Sun JDK (1.5.0_07-b03 or 1.6.0_01-b06 or later), available from the Sun Microsystems Web site. See References.

For Gentoo Linux (Sun JDK/JRE):
Refer to GLSA 200705-23 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (emul-linux-x86-java):
Refer to GLSA 200706-08 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (BEA JRockit):
Refer to GLSA 200709-15 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.


Chris Evans Security Advisory CESA-2006-004
JDK image parsing library vulnerabilities (ICC parsing, BMP parsing)

Sun Microsystems Web site
Java SE Downloads

GLSA 200705-23
Sun JDK/JRE: Multiple vulnerabilities

GLSA 200706-08
emul-linux-x86-java: Multiple vulnerabilities

GLSA 200709-15
BEA JRockit: Multiple vulnerabilities

18 Oct 2007 IBM Java Security problems

Apple Web site
About the security content of Java Release 6 for Mac OS X 10.4

ISS X-Force
Sun Java Development Kit (JDK) ICC profile integer overflow